On 2023/09/22 16:42, Alyssa Ross wrote:
Akihiko Odaki <akihiko.od...@gmail.com> writes:
Practically there is very low chance to hit the bug. I think only
fuzzers and malicious actors will trigger it, and probably no one will
dare using virtio-gpu-rutabaga or virtio-gpu-gl in a security-sensitive
context.
Well, this is exactly what Chrome OS does, albiet with crosvm rather
than QEMU, right?
I think so, but QEMU's virtio-gpu-rutabaga and virtio-gpu-gl should be
very different from crosvm in terms that it does not isolate the
graphics stack into a separate process while I believe crosvm does so.
Having the entire graphics stack in a VMM is a security nightmare; it
means giving a complex shader compiler the highest privilege. We need to
use vhost-user-gpu instead for process isolation.
Since we already have such a serious security hazard, I don't think we
have to care much about security. But security approximately equals to
reliability, which matters for virtio-gpu-rutabaga and virtio-gpu-gl
too, so it's still nice to get the bug fixed.
