On Thu, 10/20 10:21, Andy Grover wrote: > On 10/20/2016 07:30 AM, Fam Zheng wrote: > > On Thu, 10/20 15:08, Stefan Hajnoczi wrote: > > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu > > > process, does /dev/uio0 or the tcmu shared memory interface allow get > > > root or kernel privileges? > > > > I haven't audited the code, but target_core_user.ko should contain the > > access to > > /dev/uioX and make sure there is no security risk regarding buggy or > > malicious > > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if > > I'm > > wrong. > > Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory > outside the shared memory area.
Thanks! > > UIO devices are basically a "device drivers in userspace" kind of API so > they require root to use. I seem to remember somebody mentioning ways this > might work for less-privileged handlers (fd-passing??) but no way to do this > exists just yet. In my example in the cover letter I use chmod + non-root which seems to be working properly. So I think fd-passing is a promising mechanism. Fam > > Regards -- Andy >