From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=41305 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Oe8Jz-0003vT-7P for qemu-devel@nongnu.org; Wed, 28 Jul 2010 11:13:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1Oe8Jx-0005eo-PL for qemu-devel@nongnu.org; Wed, 28 Jul 2010 11:13:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:11933) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Oe8Jx-0005eS-Ic for qemu-devel@nongnu.org; Wed, 28 Jul 2010 11:13:25 -0400 From: Gleb Natapov Date: Wed, 28 Jul 2010 18:13:21 +0300 Message-Id: <1280330003-1467-1-git-send-email-gleb@redhat.com> Subject: [Qemu-devel] [PATCH 0/2] cpu_register_physical_memory() is completely broken. List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: kvm@vger.kernel.org Or just a little bit? Nothing prevents guest from configuring pci mmio bar to overlap system memory region and the physical memory address will became mmio, but when guest will change pci bar mapping the physical address location will not become memory again, but instead it becomes unassigned. Yes, guest can only hurt itself by doing this, but real HW works different, so things that may work on real HW will break in qemu. Anyway attached are two patches that fix more pressing issues: segfault and abourt() that can be triggered by a guest. To trigger segfaul run Linux in qemu tcg (or apply patch 2 and then kvm can be used too) with standard config. In the guest do the following: # setpci -s 00:03.0 0x14.L=0xc000 # dd if=/dev/zero of=/dev/mem bs=4096 count=1 seek=12 To trigger abort run Linux in qemu with kvm and do: # setpci -s 00:03.0 0x14.L=0xc000 Gleb Natapov (2): Fix segfault in mmio subpage handling code. Remove guest triggerable abort() exec.c | 2 ++ kvm-all.c | 16 ++++------------ 2 files changed, 6 insertions(+), 12 deletions(-)