On 2011-10-17 14:50, Michael S. Tsirkin wrote: > On Mon, Oct 17, 2011 at 02:07:10PM +0200, Jan Kiszka wrote: >> On 2011-10-17 13:57, Michael S. Tsirkin wrote: >>> On Mon, Oct 17, 2011 at 01:23:46PM +0200, Jan Kiszka wrote: >>>> On 2011-10-17 13:10, Michael S. Tsirkin wrote: >>>>> On Mon, Oct 17, 2011 at 11:27:40AM +0200, Jan Kiszka wrote: >>>>>> Only accesses to the MSI-X table must trigger a call to >>>>>> msix_handle_mask_update or a notifier invocation. >>>>>> >>>>>> Signed-off-by: Jan Kiszka <jan.kis...@siemens.com> >>>>> >>>>> Why would msix_mmio_write be called on an access >>>>> outside the table? >>>> >>>> Because it handles both the table and the PBA. >>> >>> Hmm. Interesting. Is there a bug in how we handle PBA >>> updates then? If yes I'd like a separate patch for that >>> to apply to the stable tree. >> >> I first thought it was a serious bug, but it just triggers if the guest >> write to PBA (which is very uncommon) and that actually triggers any >> spurious out-of-bounds vector injection. Highly unlikely. > > Yes guests don't really use PBA ATM. But is there something > bad a malicious guest can do? For example, what if > msix_clr_pending gets invoked with this huge vector value? > > It does seem serious ...
I checked it before and I think it is harmless. The largest vector that can be miscalculated is 255. But bit 255 in the PBA is still safe inside our MMIO page. Jan
signature.asc
Description: OpenPGP digital signature
