* [oxenstored]Guest users could get the VM count and domids on the host
@ 2016-07-12 3:35 Sunguodong
2016-07-27 15:05 ` George Dunlap
0 siblings, 1 reply; 2+ messages in thread
From: Sunguodong @ 2016-07-12 3:35 UTC (permalink / raw)
To: xen-devel; +Cc: Fanhenglong
Hi all,
I found a problem in oxenstored, which may be a security issue:
Guest users could get the VM count and domids on the host by a sniffing method.
You can reproduce it like this:
(1) Create a VM, e.g. CentOS 7.0 64bit
(2) Install xen tools in VM, excute cmds:
yum install centos-release-xen; yum install
(3) Use xenstore-ls to sniff, excute cmds:
for((i=1;i<=1000;i++));do `xenstore-ls /local/domain/$i 1>>1.txt 2>>2.txt`; done
then check 2.txt, speculate according the error message. example:
xenstore-ls: xs_directory (/local/domain/17): No such file or directory
---which means dom 17 does not exist
xenstore-ls: xs_directory (/local/domain/19): Permission denied
---which means dom 19 exists
Count the number of "Permission denied" and we get the VM count on the host.
I tried xen-4.2 and xen-4.6, same result with above.
But when I use c-xenstored on xen-4.2, all error messages are "Permission denied",
so there is no way to get any info about other domains on the host.
In func "get_node" of c-xenstored, it will clean up the errno before return:
/* Clean up errno if they weren't supposed to know. */
if (!node)
errno = errno_from_parents(conn, name, errno, perm);
return node;
but in oxenstored, there is no such code like this. So, I think this part was missed
when we upgraded c-xenstored to oxenstored.
Please confirm.
Looking forward to your reply, thank you!
Regards,
Jason
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [oxenstored]Guest users could get the VM count and domids on the host
2016-07-12 3:35 [oxenstored]Guest users could get the VM count and domids on the host Sunguodong
@ 2016-07-27 15:05 ` George Dunlap
0 siblings, 0 replies; 2+ messages in thread
From: George Dunlap @ 2016-07-27 15:05 UTC (permalink / raw)
To: Sunguodong; +Cc: Fanhenglong, xen-devel
On Tue, Jul 12, 2016 at 4:35 AM, Sunguodong <sunguodong@huawei.com> wrote:
> Hi all,
>
> I found a problem in oxenstored, which may be a security issue:
> Guest users could get the VM count and domids on the host by a sniffing method.
>
> You can reproduce it like this:
> (1) Create a VM, e.g. CentOS 7.0 64bit
> (2) Install xen tools in VM, excute cmds:
> yum install centos-release-xen; yum install
> (3) Use xenstore-ls to sniff, excute cmds:
> for((i=1;i<=1000;i++));do `xenstore-ls /local/domain/$i 1>>1.txt 2>>2.txt`; done
> then check 2.txt, speculate according the error message. example:
> xenstore-ls: xs_directory (/local/domain/17): No such file or directory
> ---which means dom 17 does not exist
> xenstore-ls: xs_directory (/local/domain/19): Permission denied
> ---which means dom 19 exists
> Count the number of "Permission denied" and we get the VM count on the host.
>
> I tried xen-4.2 and xen-4.6, same result with above.
>
> But when I use c-xenstored on xen-4.2, all error messages are "Permission denied",
> so there is no way to get any info about other domains on the host.
>
> In func "get_node" of c-xenstored, it will clean up the errno before return:
> /* Clean up errno if they weren't supposed to know. */
> if (!node)
> errno = errno_from_parents(conn, name, errno, perm);
> return node;
> but in oxenstored, there is no such code like this. So, I think this part was missed
> when we upgraded c-xenstored to oxenstored.
>
> Please confirm.
>
> Looking forward to your reply, thank you!
Sundong,
Thanks for your report. At the moment there are actually a fairly large
number of ways to discover active domain IDs through hypercalls as well.
So we will not be treating this as a critical vulnerability.
However, it's always better to make life harder for attackers, so I'm
sure a patch to change oxenstored's behavior would be welcome.
Otherwise, we'll be putting this on a list of improvements to make at
some point.
Also, for future reference, if you find what you think may be a security
vulnerability, please report it directly to the XenProject Securty Team
at security@xenproject.org -- even if you're not sure that it is a
vulnerability yet. Part of our job is to help figure out if there
really is a vulnerability or not.
Thanks,
- The XenProject Security Team
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-27 15:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-12 3:35 [oxenstored]Guest users could get the VM count and domids on the host Sunguodong
2016-07-27 15:05 ` George Dunlap
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).