All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
To: Haitao Shan <maillists.shan@gmail.com>
Cc: xen-devel@lists.xensource.com, Deegan <Tim.Deegan@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>Tim,
	Keir Fraser <keir.fraser@eu.citrix.com>
Subject: Re: [PATCH] tools/ioemu: Fixing Security Hole in Qemu MSIX table access management
Date: Thu, 25 Aug 2011 12:06:24 +0100	[thread overview]
Message-ID: <20054.11440.90844.633430@mariner.uk.xensource.com> (raw)
In-Reply-To: <CAFQ2Z+f+7ax3G63NgvghtjYX3ZucofVYQ6AOtMHaA+dCUT8+-g@mail.gmail.com>

Haitao Shan writes ("[Xen-devel] [PATCH] tools/ioemu: Fixing Security Hole in Qemu MSIX table access management"):
> As reported by Jan, current Qemu does not handle MSIX table mapping properly.
> 
> Details:
> 
> MSI-X table resides in one of the physical BARs. When Qemu handles
> guest's changes to BAR register (within which, MSI-X table resides),
> Qemu first allows access of the whole BAR MMIO ranges and then removes
> those of MSI-X. There is a small window here. It is possible that on a
> SMP guests one vcpu could have access to the physical MSI-X
> configurations when another vcpu is writing BAR registers.
> 
> The patch fixes this issue by first producing the valid MMIO ranges by
> removing MSI-X table's range from the whole BAR mmio range and later
> passing these ranges to Xen.

I'm afraid it wasn't clear to me what the consensus was on the status
of the attached patch, and I'm not very familiar with the code.

Also, if this is a security problem we should really issue an advisory...

Ian.

  parent reply	other threads:[~2011-08-25 11:06 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-12  5:24 [PATCH] tools/ioemu: Fixing Security Hole in Qemu MSIX table access management Haitao Shan
2011-07-12  7:05 ` Jan Beulich
2011-07-12  9:30   ` Haitao Shan
2011-07-12  9:48     ` Jan Beulich
2011-07-12 13:32       ` Haitao Shan
2011-08-25 11:06 ` Ian Jackson [this message]
2011-08-25 11:55   ` Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20054.11440.90844.633430@mariner.uk.xensource.com \
    --to=ian.jackson@eu.citrix.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=Tim.Deegan@citrix.com \
    --cc=maillists.shan@gmail.com \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.