From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Tosatti Subject: Re: [patch 3/4] KVM: introduce kvm_arch_can_free_memslot, disallow slot deletion if cached cr3 Date: Thu, 7 May 2009 15:58:18 -0300 Message-ID: <20090507185817.GB32150@amt.cnet> References: <20090427200620.389589459@amt.cnet> <20090427200757.023172987@amt.cnet> <4A02ED43.3010808@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: kvm@vger.kernel.org To: Avi Kivity Return-path: Received: from mx2.redhat.com ([66.187.237.31]:44802 "EHLO mx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1762728AbZEGS6n (ORCPT ); Thu, 7 May 2009 14:58:43 -0400 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n47IwiUN015832 for ; Thu, 7 May 2009 14:58:44 -0400 Content-Disposition: inline In-Reply-To: <4A02ED43.3010808@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: On Thu, May 07, 2009 at 05:16:35PM +0300, Avi Kivity wrote: > mtosatti@redhat.com wrote: >> Disallow the deletion of memory slots (and aliases, for x86 case), if a >> vcpu contains a cr3 that points to such slot/alias. >> > > That allows the guest to induce failures in the host. I don't understand what you mean. What is the problem with returning errors in the ioctl handlers? The guest can cause an overflow in qemu, overwrite the parameters to KVM_GET_MSR_INDEX_LIST in an attempt to read kernel data, and get -E2BIG. Or pick your combination. > Better to triple-fault the guest instead. Sure can additionally triple fault it, but the kernel might attempt to access the non-existant slot which cr3 points to before TRIPLE_FAULT is processed. So you have to avoid that possibility in the first place, thats why the patch modifies the ioctls to fail. >> +int kvm_arch_can_free_memslot(struct kvm *kvm, struct kvm_memory_slot >> *slot) >> +{ >> + return 1; >> +} >> + >> > > In general, instead of stubs in every arch, have x86 say > KVM_HAVE_ARCH_CAN_FREE_MEMSLOT and define the stub in generic code when > that define is not present. Will fix that.