From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NlYRQ-00036y-EF
	for qemu-devel@nongnu.org; Sat, 27 Feb 2010 20:59:32 -0500
Received: from [199.232.76.173] (port=39350 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NlYRP-00036q-2q
	for qemu-devel@nongnu.org; Sat, 27 Feb 2010 20:59:31 -0500
Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim
	4.60) (envelope-from <paul@codesourcery.com>) id 1NlYRO-0000h4-Cu
	for qemu-devel@nongnu.org; Sat, 27 Feb 2010 20:59:30 -0500
Received: from mx20.gnu.org ([199.232.41.8]:56978)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <paul@codesourcery.com>)
	id 1NlYRO-0000h0-6A
	for qemu-devel@nongnu.org; Sat, 27 Feb 2010 20:59:30 -0500
Received: from mail.codesourcery.com ([38.113.113.100])
	by mx20.gnu.org with esmtp (Exim 4.60)
	(envelope-from <paul@codesourcery.com>) id 1NlYRN-0004yC-B4
	for qemu-devel@nongnu.org; Sat, 27 Feb 2010 20:59:29 -0500
From: Paul Brook <paul@codesourcery.com>
Subject: Re: [Qemu-devel] Re: [PATCHv2 09/12] vhost: vhost net support
Date: Sun, 28 Feb 2010 01:59:27 +0000
References: <cover.1267122331.git.mst@redhat.com>
	<4B87E62B.5000207@codemonkey.ws>
	<20100227193824.GA26389@redhat.com>
In-Reply-To: <20100227193824.GA26389@redhat.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201002280159.27231.paul@codesourcery.com>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: amit.shah@redhat.com, quintela@redhat.com, kraxel@redhat.com, "Michael S. Tsirkin" <mst@redhat.com>

> > I'm pretty sure a guest can cause those to change and I'm not 100%
> > sure,   but I think it's a potential source of exploits if you assume a
> > mapping. In the very least, a guest can trick vhost into writing to ram
> > that it wouldn't normally write to.
> 
> This seems harmless. guest can write anywhere in ram, anyway.

Surely writing to the wrong address is always a fatal flaw.  There certainly 
exist machines that can change physical RAM mapping.  While I wouldn't expect 
this to happen during normal operation, it could occur between a (virtio-
aware) bootloader/BIOS and real kernel.

Paul