On 09/09/2010 07:44 AM, Kevin Wolf wrote:
Isn't this an unbounded, guest controlled, malloc? IOW, a guest could
do a request of 4GB and on a 32-bit system crash the qemu instance.
If you're concerned about that, we need to ban qemu_iovec_to_buffer()
completely. Currently we do the same thing for every write request for
every format but raw.
And QED ;-)
Or instead of completely removing it, we could add
a size limit, though I suspect that would mean violating some specs.
One thing I was thinking of trying was splitting off the first sector
into a linear buffer, then allocating a new iovec and adjusting the new
iovec to cover the new request minus the first sector.
If I was a guest though and wanted to crash qemu, I would just mess up
the virtio ring a bit so that qemu would exit() voluntarily. ;-)
Yeah, we're terrible at this but we should try to avoid making things
worse. Particularly in a code path (like raw images) where we don't
have this problem today.
Regards,
Anthony Liguori
Kevin
