From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58183)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1YW3SM-0004hB-GP
	for qemu-devel@nongnu.org; Thu, 12 Mar 2015 09:47:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1YW3SL-0006iN-K9
	for qemu-devel@nongnu.org; Thu, 12 Mar 2015 09:47:22 -0400
Date: Thu, 12 Mar 2015 13:47:12 +0000
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20150312134712.GV10493@stefanha-thinkpad.redhat.com>
References: <1426022944-17882-1-git-send-email-jsnow@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="fryGc0vzirnrYIcd"
Content-Disposition: inline
In-Reply-To: <1426022944-17882-1-git-send-email-jsnow@redhat.com>
Subject: Re: [Qemu-devel] [Qemu-block] [PATCH 0/2] AHCI: avoid mapping stale
	guest memory
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: John Snow <jsnow@redhat.com>
Cc: pbonzini@redhat.com, stefanha@redhat.com, qemu-devel@nongnu.org, qemu-block@nongnu.org


--fryGc0vzirnrYIcd
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 10, 2015 at 05:29:02PM -0400, John Snow wrote:
> Currently, the AHCI device tries to re-map guest memory every time
> the low or high address registers are written to, whether or not the
> AHCI device is currently active. If the other register has stale
> information in it, this may lead to runtime failures.
>=20
> Reconfigure the AHCI device to ignore writes to these registers while
> the device is active, and otherwise postpone the dma memory map until
> the device becomes active.
>=20
> John Snow (2):
>   AHCI: Do not (re)map FB/CLB buffers while not running
>   AHCI: Protect cmd register
>=20
>  hw/ide/ahci.c | 61 ++++++++++++++++++++++++++++++++++++++++++++---------=
------
>  hw/ide/ahci.h |  2 ++
>  2 files changed, 48 insertions(+), 15 deletions(-)

hw/ide/ahci.c: In function =E2=80=98ahci_state_post_load=E2=80=99:
hw/ide/ahci.c:1396:23: error: unused variable =E2=80=98pr=E2=80=99 [-Werror=
=3Dunused-variable]
         AHCIPortRegs *pr =3D &ad->port_regs;


What happens if a malicious/buggy guest provides a bogus address?  It
looks like the code still sets the "on" bit in the cmd register because
it doesn't check whether the mapped pointer is non-NULL.

--fryGc0vzirnrYIcd
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVAZjgAAoJEJykq7OBq3PI7BoH/1D2Wlq+NcMWw9Qc83Tg2S5k
dTQu/x689axNwEf5DHGFD1BhRCuW/CVBbjZB1IBIlOt9Svwc02e2Pdx/p1tsWMsl
5B1K/YlY3B0VVs5D15zTsxorEDZCxJSlNQ15YJgHkUniBAX+2SHqO4mdLDDckEuk
jjgYJyH0nhZgJgDLftU/HX5SXP5ovDDMyD3acH8Gz3CKn8P+1ijBYdOUQnYXizqC
MIq8sD227RZpBjsAIADbnk3Orj2SyicAUg6DD7oMnN5JtJPyBdyXOFIteWie0lpZ
a0f1g0Kgx45KDrs1Skj05MtC9vWLkvtra8o010Tp8YBsJO1gARBOVm6+oCbAG2M=
=esJA
-----END PGP SIGNATURE-----

--fryGc0vzirnrYIcd--