From: Avi Kivity <avi@redhat.com>
To: Amit Shah <amit.shah@redhat.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>,
Arnd Bergmann <arnd@arndb.de>,
qemu-devel@nongnu.org, Frederic Weisbecker <fweisbec@gmail.com>,
Yoshihiro YUNOMAE <yoshihiro.yunomae.ez@hitachi.com>,
yrl.pp-manager.tt@hitachi.com, linux-kernel@vger.kernel.org,
Borislav Petkov <bp@amd64.org>,
virtualization@lists.linux-foundation.org,
Herbert Xu <herbert@gondor.hengli.com.au>,
"Franch Ch. Eigler" <fche@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Steven Rostedt <rostedt@goodmis.org>,
Anthony Liguori <anthony@codemonkey.ws>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Subject: Re: [Qemu-devel] [RFC PATCH 2/6] virtio/console: Add a failback for unstealable pipe buffer
Date: Thu, 09 Aug 2012 12:58:13 +0300 [thread overview]
Message-ID: <502389B5.4020506@redhat.com> (raw)
In-Reply-To: <20120809095514.GJ3280@amit.redhat.com>
On 08/09/2012 12:55 PM, Amit Shah wrote:
> On (Thu) 09 Aug 2012 [18:24:58], Masami Hiramatsu wrote:
>> (2012/08/09 18:03), Amit Shah wrote:
>> > On (Tue) 24 Jul 2012 [11:37:18], Yoshihiro YUNOMAE wrote:
>> >> From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
>> >>
>> >> Add a failback memcpy path for unstealable pipe buffer.
>> >> If buf->ops->steal() fails, virtio-serial tries to
>> >> copy the page contents to an allocated page, instead
>> >> of just failing splice().
>> >>
>> >> Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
>> >> Cc: Amit Shah <amit.shah@redhat.com>
>> >> Cc: Arnd Bergmann <arnd@arndb.de>
>> >> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> >> ---
>> >>
>> >> drivers/char/virtio_console.c | 28 +++++++++++++++++++++++++---
>> >> 1 files changed, 25 insertions(+), 3 deletions(-)
>> >>
>> >> diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
>> >> index fe31b2f..911cb3e 100644
>> >> --- a/drivers/char/virtio_console.c
>> >> +++ b/drivers/char/virtio_console.c
>> >> @@ -794,7 +794,7 @@ static int pipe_to_sg(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
>> >> struct splice_desc *sd)
>> >> {
>> >> struct sg_list *sgl = sd->u.data;
>> >> - unsigned int len = 0;
>> >> + unsigned int offset, len;
>> >>
>> >> if (sgl->n == MAX_SPLICE_PAGES)
>> >> return 0;
>> >> @@ -807,9 +807,31 @@ static int pipe_to_sg(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
>> >>
>> >> len = min(buf->len, sd->len);
>> >> sg_set_page(&(sgl->sg[sgl->n]), buf->page, len, buf->offset);
>> >> - sgl->n++;
>> >> - sgl->len += len;
>> >> + } else {
>> >> + /* Failback to copying a page */
>> >> + struct page *page = alloc_page(GFP_KERNEL);
>> >
>> > I prefer zeroing out the page. If there's not enough data to be
>> > filled in the page, the remaining data can be leaked to the host.
>>
>> Yeah, it is really easy to fix that.
>> But out of curiosity, would that be really a problem?
>> I guess that host can access any guest page if need. If that
>> is right, is that really insecure to leak randomly allocated
>> unused page to the host?
>
> I'm not sure if there is a way to really attack, but just something I
> had thought about: the host kernel can access any guest page, that's
> not something we can prevent.
>
> However, if qemu is restricted from accessing guest pages, and the
> guest shares this page with qemu for r/w purposes via the virtio
> channel, a qemu exploit can expose guest data to host userspace.
>
> I agree this is completely theoretical; can someone else with more
> insight confirm or deny my apprehensions?
qemu can read and write any guest page (for the guest it controls).
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2012-08-09 9:58 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-24 2:36 [Qemu-devel] [RFC PATCH 0/6] virtio-trace: Support virtio-trace Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] [RFC PATCH 1/6] virtio/console: Add splice_write support Yoshihiro YUNOMAE
2012-08-09 9:00 ` Amit Shah
2012-08-09 9:12 ` Masami Hiramatsu
2012-07-24 2:37 ` [Qemu-devel] [RFC PATCH 2/6] virtio/console: Add a failback for unstealable pipe buffer Yoshihiro YUNOMAE
2012-08-09 9:03 ` Amit Shah
2012-08-09 9:24 ` Borislav Petkov
2012-08-09 9:24 ` Masami Hiramatsu
2012-08-09 9:55 ` Amit Shah
2012-08-09 9:58 ` Avi Kivity [this message]
2012-08-09 10:14 ` Amit Shah
2012-08-09 12:35 ` Steven Rostedt
2012-07-24 2:37 ` [Qemu-devel] [RFC PATCH 3/6] virtio/console: Wait until the port is ready on splice Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] [RFC PATCH 4/6] ftrace: Allow stealing pages from pipe buffer Yoshihiro YUNOMAE
2012-07-30 22:12 ` Steven Rostedt
2012-07-24 2:37 ` [Qemu-devel] [RFC PATCH 5/6] virtio/console: Allocate scatterlist according to the current pipe size Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] [RFC PATCH 6/6] tools: Add guest trace agent as a user tool Yoshihiro YUNOMAE
2012-07-24 3:27 ` [Qemu-devel] [RFC PATCH 0/6] virtio-trace: Support virtio-trace Masami Hiramatsu
2012-07-24 10:02 ` Stefan Hajnoczi
2012-07-24 11:03 ` Masami Hiramatsu
2012-07-24 11:19 ` Yoshihiro YUNOMAE
2012-07-24 13:41 ` Stefan Hajnoczi
2012-07-25 9:13 ` Yoshihiro YUNOMAE
2012-07-26 10:52 ` Stefan Hajnoczi
2012-07-24 13:43 ` Stefan Hajnoczi
2012-07-24 20:26 ` Blue Swirl
2012-07-25 8:15 ` Masami Hiramatsu
2012-07-27 18:58 ` Blue Swirl
2012-07-26 11:35 ` Amit Shah
2012-07-27 8:55 ` Yoshihiro YUNOMAE
2012-07-27 9:43 ` Amit Shah
2012-07-31 0:52 ` Yoshihiro YUNOMAE
2012-08-09 10:16 ` Amit Shah
2012-08-21 2:17 ` Rusty Russell
2012-08-21 5:09 ` Amit Shah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=502389B5.4020506@redhat.com \
--to=avi@redhat.com \
--cc=amit.shah@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=arnd@arndb.de \
--cc=bp@amd64.org \
--cc=fche@redhat.com \
--cc=fweisbec@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-kernel@vger.kernel.org \
--cc=masami.hiramatsu.pt@hitachi.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rostedt@goodmis.org \
--cc=rusty@rustcorp.com.au \
--cc=virtualization@lists.linux-foundation.org \
--cc=yoshihiro.yunomae.ez@hitachi.com \
--cc=yrl.pp-manager.tt@hitachi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).