From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54908) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VE7Pk-00073K-M7 for qemu-devel@nongnu.org; Mon, 26 Aug 2013 20:45:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VE7Pe-000631-LJ for qemu-devel@nongnu.org; Mon, 26 Aug 2013 20:45:44 -0400 Message-ID: <1377564315.3819.88.camel@pasglop> From: Benjamin Herrenschmidt Date: Tue, 27 Aug 2013 10:45:15 +1000 In-Reply-To: <521B5A0C.2050409@redhat.com> References: <1377249737-12570-1-git-send-email-aik@ozlabs.ru> <24C2B209-2082-4AF8-A8FB-1FF8A8B7751B@suse.de> <1377463908.3819.24.camel@pasglop> <521B5A0C.2050409@redhat.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] spapr-vscsi: Adding VSCSI capabilities List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: Alexey Kardashevskiy , qemu-ppc@nongnu.org, Alexander Graf , Nikunj A Dadhania , qemu-devel@nongnu.org On Mon, 2013-08-26 at 15:37 +0200, Paolo Bonzini wrote: > There are certainly cases where time-of-check-to-time-of-use > vulnerability could make QEMU access uninitialized memory (or worse, > out-of-bounds arrays). For example, you could try racing the host on > the length of a scatter/gather list. Sure, and I mentioned that too, the latest patch from Nikunj addresses it, I still think however that it's not a good practice to copy everything, then do the byteswaps on the result (and it defeats use of sparse for endian checking if we ever want to do that). Ben.