From: Jiri Slaby <jslaby@suse.cz>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Torin Carey <torin@tcarey.uk>,
qemu-devel@nongnu.org, Chris Friedt <chrisfriedt@gmail.com>
Subject: Re: [PATCH] hw/misc/edu: restrict dma access to dma buffer
Date: Thu, 6 Nov 2025 11:48:57 +0100 [thread overview]
Message-ID: <7a64a3a7-a820-4f0f-9d7c-837965c5b46c@suse.cz> (raw)
In-Reply-To: <508e699e-ba3e-4977-9507-8da7da14fa28@suse.cz>
On 06. 11. 25, 11:45, Jiri Slaby wrote:
> On 06. 11. 25, 11:38, Peter Maydell wrote:
>> On Thu, 6 Nov 2025 at 06:29, Jiri Slaby <jslaby@suse.cz> wrote:
>>>
>>> On 05. 11. 25, 13:18, Torin Carey wrote:
>>>> The EDU device doesn't enforce any bound checks on the addresses
>>>> provided,
>>>> allowing users of the device to perform arbitrary reads and writes
>>>> to QEMU's
>>>> address space.
>>>
>>> Hmm, it was the intention to crash qemu before:
>>> commit 7b608e5d6c1d61430e81cd5c71b0277b99b03f3a
>>> Author: Chris Friedt <chrisfriedt@gmail.com>
>>> Date: Tue Oct 18 08:25:51 2022 -0400
>>>
>>> hw: misc: edu: use qemu_log_mask instead of hw_error
>>>
>>> Log a guest error instead of a hardware error when
>>> the guest tries to DMA to / from an invalid address.
>>>
>>>
>>>
>>> As with a standard device when you program it badly. I don't understand
>>> why the commit changed it to log only and let the code to corrupt the
>>> memory?
>>
>> It's a PCI device. Unless something in the spec of
>> the device says "if you try to DMA outside this range
>> it will be ignored", then typically devices will let you
>> DMA anywhere in the address space. If the guest chooses
>> to program the device to DMA somewhere silly, that's its choice.
>>
>> Is there a spec for this device anywhere? If so, we should
>> follow that. If not, then it's a "make a best guess", and
>> "don't arbitrarily constrain DMA" is a reasonable guess.
>
> It's an educational, fictional device, there is of course no spec for that.
>
>> The reason for the commit above is that devices should
>> not call hw_error() as that crashes QEMU itself.
>
> But that was exactly my intention. Students should see an immediate
> crash, not random, undebuggable (in the given class hours) writes
> somewhere. And crashing a qemu instance was an intended pun.
Which effectively translates the intent into: either we crash again
(revert the commit above), or we only log a warning (is it by default
logged at all?), but won't corrupt memory = no write happens.
> thanks,
--
js
suse labs
next prev parent reply other threads:[~2025-11-06 10:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 12:18 [PATCH] hw/misc/edu: restrict dma access to dma buffer Torin Carey
2025-11-06 6:28 ` Jiri Slaby
2025-11-06 10:38 ` Peter Maydell
2025-11-06 10:45 ` Jiri Slaby
2025-11-06 10:48 ` Jiri Slaby [this message]
2025-11-06 10:53 ` Peter Maydell
2025-11-06 11:01 ` Jiri Slaby
2025-11-06 11:07 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a64a3a7-a820-4f0f-9d7c-837965c5b46c@suse.cz \
--to=jslaby@suse.cz \
--cc=chrisfriedt@gmail.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=torin@tcarey.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).