From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=41403 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OUbDs-0004kV-Rx
	for qemu-devel@nongnu.org; Fri, 02 Jul 2010 04:03:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <stefanha@gmail.com>) id 1OUbDo-0004XT-Ip
	for qemu-devel@nongnu.org; Fri, 02 Jul 2010 04:03:44 -0400
Received: from mail-vw0-f45.google.com ([209.85.212.45]:59037)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <stefanha@gmail.com>) id 1OUbDo-0004XH-GH
	for qemu-devel@nongnu.org; Fri, 02 Jul 2010 04:03:40 -0400
Received: by vws18 with SMTP id 18so3468519vws.4
	for <qemu-devel@nongnu.org>; Fri, 02 Jul 2010 01:03:39 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <20100701193034.GA7421@localhost>
References: <20100629172522.GA8227@localhost>
	<AANLkTimZRp6xusr_o2W58_avpbhrgxDHbEp0gjYUY8jp@mail.gmail.com>
	<20100701193034.GA7421@localhost>
Date: Fri, 2 Jul 2010 09:03:39 +0100
Message-ID: <AANLkTinZ6TlNB71KTH9CjhH3wTn4TuAZ5wbceg-Kue4-@mail.gmail.com>
From: Stefan Hajnoczi <stefanha@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] Re: Status update
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eduard - Gabriel Munteanu <eduard.munteanu@linux360.ro>
Cc: qemu-devel@nongnu.org, joro@8bytes.org, paul@codesourcery.com, kvm@vger.kernel.org, avi@redhat.com

On Thu, Jul 1, 2010 at 8:30 PM, Eduard - Gabriel Munteanu
<eduard.munteanu@linux360.ro> wrote:
> On Wed, Jun 30, 2010 at 09:37:31AM +0100, Stefan Hajnoczi wrote:
>> On Tue, Jun 29, 2010 at 6:25 PM, Eduard - Gabriel Munteanu
>> <eduard.munteanu@linux360.ro> wrote:
>> > On the other hand, we could just leave it alone for now. Changing
>> > mappings during DMA is stupid anyway: I don't think the guest can
>> > recover the results of DMA safely, even though it might be used on
>> > transfers in progress you simply don't care about anymore. Paul Brook
>> > suggested we could update the cpu_physical_memory_map() mappings
>> > somehow, but I think that's kinda difficult to accomplish.
>>
>> A malicious or broken guest shouldn't be able to crash or corrupt QEMU
>> process memory. =A0The IOMMU can only map from bus addresses to guest
>> physical RAM (?) so the worst the guest can do here is corrupt itself?
>>
> That's true, but it's fair to be concerned about the guest itself.
> Imagine it runs some possibly malicious apps which program the hardware
> to do DMA. That should be safe when a IOMMU is present.
>
> But suddenly the guest OS changes mappings and expects the IOMMU to
> enforce them as soon as invalidation commands are completed. The guest
> then reclaims the old space for other uses. This leaves an opportunity
> for those processes to corrupt or read sensitive data.

As long as QEMU acts in the same way as real hardware we should be
okay.  Will real hardware change the mappings immediately and abort
the DMA from the device if it tries to access an invalidated address?

Stefan