[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4 5/8] ioreq-server: add support for multiple servers



On Wed, 2014-04-09 at 14:46 +0100, Jan Beulich wrote:
> >>> On 09.04.14 at 15:32, <Paul.Durrant@xxxxxxxxxx> wrote:
> >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> >> >>> On 02.04.14 at 17:11, <paul.durrant@xxxxxxxxxx> wrote:
> >> Also, I didn't see a limit being enforced on the number of elements
> >> that can be added to these lists, yet allowing this to be unlimited is
> >> a latent security issue.
> >> 
> > 
> > Guest domains cannot add to the lists, only the emulating domain, but if 
> > that is unprivileged then, yes, that is a security issue.
> 
> And hence it needs to be fixed, or the operation added to the list of
> disaggregation-unsafe ones (which XSA-77 added). I'd clearly favor
> the former...

and I will require it.

Quoting from the changelog of the XSA-77 patch:
    It is expected that these lists will be whittled away as each interface is
    audited for safety.
    
    New interfaces should be expected to be safe when introduced (IOW the list
    should never be expanded).
    
Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.