On 26.11.24 09:02, Wei Chen wrote:
A malicious guest can exploit virtio-mem to release memory back to the
hypervisor and attempt Rowhammer attacks.
Please provide more information how this is supposed to work, whether
this is a purely theoretical case, and how relevant this is in practice.
Because I am not sure how relevant and accurate this statement is, and
if any action is needed at all.
Further, what about virtio-balloon, which does not even support
rejecting requests?
The only case reasonable for
unplugging is when the size > requested_size.
I recall that that behavior was desired once the driver would support
de-fragmenting unplugged memory blocks. I don't think drivers do that
today (would have to double-check the Windows one). The spec does not
document what is to happen in that case.
Note that VIRTIO_MEM_REQ_UNPLUG_ALL would still always be allowed, so
this change would not cover all cases. VIRTIO_MEM_REQ_UNPLUG_ALL could
be ratelimited -- if there is a real issue here.
Signed-off-by: Wei Chen <[email protected]>
Signed-off-by: Zhi Zhang <[email protected]>
---
hw/virtio/virtio-mem.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
index 80ada89551..4ef67082a2 100644
--- a/hw/virtio/virtio-mem.c
+++ b/hw/virtio/virtio-mem.c
@@ -671,6 +671,10 @@ static int virtio_mem_state_change_request(VirtIOMEM
*vmem, uint64_t gpa,
return VIRTIO_MEM_RESP_NACK;
}
+ if (!plug && vmem->size <= vmem->requested_size) {
+ return VIRTIO_MEM_RESP_NACK;
+ }
+
/* test if really all blocks are in the opposite state */
if ((plug && !virtio_mem_is_range_unplugged(vmem, gpa, size)) ||
(!plug && !virtio_mem_is_range_plugged(vmem, gpa, size))) {
--
Cheers,
David / dhildenb
