From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41192)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1VDwz8-0006y4-7j
	for qemu-devel@nongnu.org; Mon, 26 Aug 2013 09:37:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1VDwz1-0004o8-TS
	for qemu-devel@nongnu.org; Mon, 26 Aug 2013 09:37:34 -0400
Message-ID: <521B5A0C.2050409@redhat.com>
Date: Mon, 26 Aug 2013 15:37:16 +0200
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <1377249737-12570-1-git-send-email-aik@ozlabs.ru>
	<24C2B209-2082-4AF8-A8FB-1FF8A8B7751B@suse.de>
	<1377463908.3819.24.camel@pasglop>
In-Reply-To: <1377463908.3819.24.camel@pasglop>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] spapr-vscsi: Adding VSCSI capabilities
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>, qemu-ppc@nongnu.org, Alexander Graf <agraf@suse.de>, Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>, qemu-devel@nongnu.org

Il 25/08/2013 22:51, Benjamin Herrenschmidt ha scritto:
> On Sun, 2013-08-25 at 17:41 +0100, Alexander Graf wrote:
>>
>> While I don't think any harm could happen from it, this could lead to
>> a potential timing attack where we read and write from different
>> locations in memory if the guest swizzles the request while we're
>> processing it.
>>
>> It's certainly better style (read: makes it easier to prove this
>> doesn't happen when it really is important) to read the variables into
>> local variables and reuse them there. In this case it mostly helps
>> readability to make sure here and below are the same variables.
> 
> Ugh... It's not better style at all, it's also less efficient and the
> "attack" you talk about doesn't exist... All the guest can do is shoot
> itself in the foot.

There are certainly cases where time-of-check-to-time-of-use
vulnerability could make QEMU access uninitialized memory (or worse,
out-of-bounds arrays).  For example, you could try racing the host on
the length of a scatter/gather list.

Paolo