> So guest can cause vhost to write to a wrong place in RAM, but it can > just pass a wrong address directly.
That's not the point. Obviously any DMA capable device can be used to compromise a system. However if a device writes to address B after being told to write to address A, then you have a completely broken system. > As long as vhost does not access a > non-RAM address, we are definitely fine. Why does it matter what it's changed to? The virtio DMA addresses guest physical addresses. If guest physical address mappings change then the virtio device must respect those changes. The extreme case is a system with an IOMMU (not currently implemented in QEMU). In that case it's likely that physical- RAM mappings will change frequently. Paul
