Am 09.09.2010 14:52, schrieb Anthony Liguori: > On 09/09/2010 07:44 AM, Kevin Wolf wrote: >>> Isn't this an unbounded, guest controlled, malloc? IOW, a guest could >>> do a request of 4GB and on a 32-bit system crash the qemu instance. >>> >> If you're concerned about that, we need to ban qemu_iovec_to_buffer() >> completely. Currently we do the same thing for every write request for >> every format but raw. > > And QED ;-)
qed doesn't exist. We have something some notices from a brainstorming thread that should become a specification some day. And yes, there's some prototype code. That's everything we have today. Anyway, if you declare qemu_iovec_to_buffer() broken, it doesn't really matter if n-1 formats or n-2 formats are broken... >> Or instead of completely removing it, we could add >> a size limit, though I suspect that would mean violating some specs. >> > > One thing I was thinking of trying was splitting off the first sector > into a linear buffer, then allocating a new iovec and adjusting the new > iovec to cover the new request minus the first sector. That doesn't help any of the other use cases. Either we consider it a problem or not. If we do, it must be fixed everywhere. Kevin
