|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v4 5/8] ioreq-server: add support for multiple servers
On Wed, 2014-04-09 at 14:46 +0100, Jan Beulich wrote: > >>> On 09.04.14 at 15:32, <Paul.Durrant@xxxxxxxxxx> wrote: > >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx] > >> >>> On 02.04.14 at 17:11, <paul.durrant@xxxxxxxxxx> wrote: > >> Also, I didn't see a limit being enforced on the number of elements > >> that can be added to these lists, yet allowing this to be unlimited is > >> a latent security issue. > >> > > > > Guest domains cannot add to the lists, only the emulating domain, but if > > that is unprivileged then, yes, that is a security issue. > > And hence it needs to be fixed, or the operation added to the list of > disaggregation-unsafe ones (which XSA-77 added). I'd clearly favor > the former... and I will require it. Quoting from the changelog of the XSA-77 patch: It is expected that these lists will be whittled away as each interface is audited for safety. New interfaces should be expected to be safe when introduced (IOW the list should never be expanded). Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |