From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37402)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agrover@redhat.com>) id 1bxH2U-0006w3-Cc
	for qemu-devel@nongnu.org; Thu, 20 Oct 2016 13:22:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <agrover@redhat.com>) id 1bxH2R-0001ZM-83
	for qemu-devel@nongnu.org; Thu, 20 Oct 2016 13:21:58 -0400
Received: from mx1.redhat.com ([209.132.183.28]:48008)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <agrover@redhat.com>) id 1bxH2R-0001Y7-2Q
	for qemu-devel@nongnu.org; Thu, 20 Oct 2016 13:21:55 -0400
Received: from int-mx13.intmail.prod.int.phx2.redhat.com
	(int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C73AF9C0A8
	for <qemu-devel@nongnu.org>; Thu, 20 Oct 2016 17:21:53 +0000 (UTC)
References: <1476871708-25096-1-git-send-email-famz@redhat.com>
	<20161020140827.GA2733@stefanha-x1.localdomain>
	<20161020143059.GA21349@lemon>
From: Andy Grover <agrover@redhat.com>
Message-ID: <16c8a152-0d2c-2ee0-e33f-35147549788b@redhat.com>
Date: Thu, 20 Oct 2016 10:21:53 -0700
MIME-Version: 1.0
In-Reply-To: <20161020143059.GA21349@lemon>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Fam Zheng <famz@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>, Pranith Kumar Karampuri <pkarampu@redhat.com>, Vijay Bellur <vbellur@redhat.com>, Huamin Chen <hchen@redhat.com>

On 10/20/2016 07:30 AM, Fam Zheng wrote:
> On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
>> If a corrupt image is able to execute arbitrary code in the qemu-tcmu
>> process, does /dev/uio0 or the tcmu shared memory interface allow get
>> root or kernel privileges?
>
> I haven't audited the code, but target_core_user.ko should contain the access to
> /dev/uioX and make sure there is no security risk regarding buggy or malicious
> handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm
> wrong.

Yes... well, TCMU ensures that a bad handler can't scribble to kernel 
memory outside the shared memory area.

UIO devices are basically a "device drivers in userspace" kind of API so 
they require root to use. I seem to remember somebody mentioning ways 
this might work for less-privileged handlers (fd-passing??) but no way 
to do this exists just yet.

Regards -- Andy