From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NlgEO-0004Hh-CX
	for qemu-devel@nongnu.org; Sun, 28 Feb 2010 05:18:36 -0500
Received: from [199.232.76.173] (port=38019 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NlgEN-0004HZ-Hu
	for qemu-devel@nongnu.org; Sun, 28 Feb 2010 05:18:35 -0500
Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim
	4.60) (envelope-from <mst@redhat.com>) id 1NlgEM-00064J-A3
	for qemu-devel@nongnu.org; Sun, 28 Feb 2010 05:18:35 -0500
Received: from mx1.redhat.com ([209.132.183.28]:26396)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <mst@redhat.com>) id 1NlgEL-00064F-US
	for qemu-devel@nongnu.org; Sun, 28 Feb 2010 05:18:34 -0500
Date: Sun, 28 Feb 2010 12:15:09 +0200
From: "Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [Qemu-devel] Re: [PATCHv2 09/12] vhost: vhost net support
Message-ID: <20100228101509.GB28921@redhat.com>
References: <cover.1267122331.git.mst@redhat.com>
	<4B87E62B.5000207@codemonkey.ws>
	<20100227193824.GA26389@redhat.com>
	<201002280159.27231.paul@codesourcery.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201002280159.27231.paul@codesourcery.com>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Brook <paul@codesourcery.com>
Cc: amit.shah@redhat.com, kraxel@redhat.com, qemu-devel@nongnu.org, quintela@redhat.com

On Sun, Feb 28, 2010 at 01:59:27AM +0000, Paul Brook wrote:
> > > I'm pretty sure a guest can cause those to change and I'm not 100%
> > > sure,   but I think it's a potential source of exploits if you assume a
> > > mapping. In the very least, a guest can trick vhost into writing to ram
> > > that it wouldn't normally write to.
> > 
> > This seems harmless. guest can write anywhere in ram, anyway.
> 
> Surely writing to the wrong address is always a fatal flaw.

If guest does an illegal operation, it can corrupt its own memory.
This is the case with physical devices as well.

>  There certainly 
> exist machines that can change physical RAM mapping.

I am talking about mapping between phy RAM offset and qemu virt address.
When can it change without RAM in question going away?

> While I wouldn't expect 
> this to happen during normal operation, it could occur between a (virtio-
> aware) bootloader/BIOS and real kernel.
> 
> Paul

Should not matter for vhost, it is only active if driver is active ...