xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
* [oxenstored]Guest users could get the VM count and domids on the host
@ 2016-07-12  3:35 Sunguodong
  2016-07-27 15:05 ` George Dunlap
  0 siblings, 1 reply; 2+ messages in thread
From: Sunguodong @ 2016-07-12  3:35 UTC (permalink / raw)
  To: xen-devel; +Cc: Fanhenglong

Hi all,

I found a problem in oxenstored, which may be a security issue:
Guest users could get the VM count and domids on the host by a sniffing method.

You can reproduce it like this:
(1) Create a VM, e.g. CentOS 7.0 64bit
(2) Install xen tools in VM, excute cmds:
    yum install centos-release-xen; yum install
(3) Use xenstore-ls to sniff, excute cmds:
    for((i=1;i<=1000;i++));do `xenstore-ls /local/domain/$i 1>>1.txt 2>>2.txt`; done
    then check 2.txt, speculate according the error message. example:
        xenstore-ls: xs_directory (/local/domain/17): No such file or directory
		---which means dom 17 does not exist
        xenstore-ls: xs_directory (/local/domain/19): Permission denied
		---which means dom 19 exists
    Count the number of "Permission denied" and we get the VM count on the host.

I tried xen-4.2 and xen-4.6, same result with above.

But when I use c-xenstored on xen-4.2, all error messages are "Permission denied", 
so there is no way to get any info about other domains on the host.

In func "get_node" of c-xenstored, it will clean up the errno before return:
	/* Clean up errno if they weren't supposed to know. */
	if (!node) 
		errno = errno_from_parents(conn, name, errno, perm);
	return node;
but in oxenstored, there is no such code like this. So, I think this part was missed
when we upgraded c-xenstored to oxenstored.

Please confirm.

Looking forward to your reply, thank you!


Regards,
Jason
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [oxenstored]Guest users could get the VM count and domids on the host
  2016-07-12  3:35 [oxenstored]Guest users could get the VM count and domids on the host Sunguodong
@ 2016-07-27 15:05 ` George Dunlap
  0 siblings, 0 replies; 2+ messages in thread
From: George Dunlap @ 2016-07-27 15:05 UTC (permalink / raw)
  To: Sunguodong; +Cc: Fanhenglong, xen-devel

On Tue, Jul 12, 2016 at 4:35 AM, Sunguodong <sunguodong@huawei.com> wrote:
> Hi all,
>
> I found a problem in oxenstored, which may be a security issue:
> Guest users could get the VM count and domids on the host by a sniffing method.
>
> You can reproduce it like this:
> (1) Create a VM, e.g. CentOS 7.0 64bit
> (2) Install xen tools in VM, excute cmds:
>     yum install centos-release-xen; yum install
> (3) Use xenstore-ls to sniff, excute cmds:
>     for((i=1;i<=1000;i++));do `xenstore-ls /local/domain/$i 1>>1.txt 2>>2.txt`; done
>     then check 2.txt, speculate according the error message. example:
>         xenstore-ls: xs_directory (/local/domain/17): No such file or directory
>                 ---which means dom 17 does not exist
>         xenstore-ls: xs_directory (/local/domain/19): Permission denied
>                 ---which means dom 19 exists
>     Count the number of "Permission denied" and we get the VM count on the host.
>
> I tried xen-4.2 and xen-4.6, same result with above.
>
> But when I use c-xenstored on xen-4.2, all error messages are "Permission denied",
> so there is no way to get any info about other domains on the host.
>
> In func "get_node" of c-xenstored, it will clean up the errno before return:
>         /* Clean up errno if they weren't supposed to know. */
>         if (!node)
>                 errno = errno_from_parents(conn, name, errno, perm);
>         return node;
> but in oxenstored, there is no such code like this. So, I think this part was missed
> when we upgraded c-xenstored to oxenstored.
>
> Please confirm.
>
> Looking forward to your reply, thank you!

Sundong,

Thanks for your report.  At the moment there are actually a fairly large
number of ways to discover active domain IDs through hypercalls as well.
So we will not be treating this as a critical vulnerability.

However, it's always better to make life harder for attackers, so I'm
sure a patch to change oxenstored's behavior would be welcome.
Otherwise, we'll be putting this on a list of improvements to make at
some point.

Also, for future reference, if you find what you think may be a security
vulnerability, please report it directly to the XenProject Securty Team
at security@xenproject.org -- even if you're not sure that it is a
vulnerability yet.  Part of our job is to help figure out if there
really is a vulnerability or not.

Thanks,
 - The XenProject Security Team

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-27 15:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-12  3:35 [oxenstored]Guest users could get the VM count and domids on the host Sunguodong
2016-07-27 15:05 ` George Dunlap

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).