Il 25/08/2013 22:51, Benjamin Herrenschmidt ha scritto: > On Sun, 2013-08-25 at 17:41 +0100, Alexander Graf wrote: >> >> While I don't think any harm could happen from it, this could lead to >> a potential timing attack where we read and write from different >> locations in memory if the guest swizzles the request while we're >> processing it. >> >> It's certainly better style (read: makes it easier to prove this >> doesn't happen when it really is important) to read the variables into >> local variables and reuse them there. In this case it mostly helps >> readability to make sure here and below are the same variables. > > Ugh... It's not better style at all, it's also less efficient and the > "attack" you talk about doesn't exist... All the guest can do is shoot > itself in the foot.
There are certainly cases where time-of-check-to-time-of-use vulnerability could make QEMU access uninitialized memory (or worse, out-of-bounds arrays). For example, you could try racing the host on the length of a scatter/gather list. Paolo
