Re: RFC: virtio-hostmem (+ Continuation of discussion from [virtio-dev] Memory sharing device)

["Michael S. Tsirkin" <mst@redhat.com>]

On Mon, Feb 25, 2019 at 10:54:03AM -0800, Roman Kiryanov wrote:
> > >   â The host does not back the region at all and a page fault happens.
> >
> > Then what? Guest dies?
> > That doesn't sound reasonable, in particular if you want to
> > allow userspace to map this memory.
> 
> In our implementation we call mmap after asking the host to back the region.

So I guess spec should not say host does not have to back the region
then.


> https://photos.app.goo.gl/NJvPBvvFS3S3n9mn6
> 
> Nothing prevents a guest to call mmap on an unbacked region, then the
> guest will die. If it is possible for the device to figure out if an
> address range
> is backed in VM, the guest driver could talk to the device to fail an mmap
> call if a region is not accessible.

So if driver needs specific knowlegde from the device that needs to be
in the spec.

> > >   â The host has already allocated host RAM (from some source; vkMapMemory,
> > >     malloc(), mmap, etc) memory of some kind and maps a page-aligned host
> > >     pointer to the guest physical address corresponding to the region.
> >
> > I'm not sure what does "of some kind" mean here.
> 
> Memory from any API call that could be used for access through this
> address range.

So just RAM really?

> > Also host and guest might have different ideas about
> > what does page-aligned mean.
> 
> In our implementation we do aligning (for VM operations) and unaligning in the
> guest userspace (because mmap is page aligned) to get the pointer to handle
> pointers in the middle of a page (we have no control on pointers returned
> from a third party API).
> 
> Regards,
> Roman.

I'm not sure how does above answer the comment.  I understand you are
using all kind of APIs internally in your hypervisor but please put
things in terms that can apply to host/guest communication. I can kind
of read it between the lines if I squint hard enough but this makes my
head hurt and there's no guarantee I do it correctly.

To try and put things in your terms, if you try to map a range of memory
you get access to a page that can be bigger than the range you asked
for.  It can cause two ranges to violate a security boundary, cause
information leaks, etc. A library can play with offsets and give a well
behaved application an illusion of a private range but if it ends up
sharing a page of memory with a malicious application then there's no
security boundary between them.

HTH

-- 
MST