On Mon, 2011-09-26 at 22:45 +0300, Pekka Enberg wrote:

On Mon, Sep 26, 2011 at 10:37 PM, Sasha Levin [off-list ref] wrote:

quoted

quoted

Interesting.  This is a theoretical issue, correct?
Not a crash you actually see.

Actually it was an actual crash caused when our virtio-net driver in kvm
tools did funny things and passed '(u32)-1' length as a buffer length to
the guest kernel.

I'm not sure what Michael means with "theoretical issue" here. Can the guest
driver assume that the hypervisor doesn't attempt to do nasty things?

afaik if the hypervisor can access the vcpus and the memory of the
guest, this shouldn't be a security issue - more of a bug prevention
issue.

I guess it'll be interesting the other way around, when it's the guest
that passes this buggy information to the hypervisor.

-- 

Sasha.