Re: [oxenstored]Guest users could get the VM count and domids on the host

From: George Dunlap <dunlapg@umich.edu>
To: Sunguodong <sunguodong@huawei.com>
Cc: Fanhenglong <fanhenglong@huawei.com>,
	"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [oxenstored]Guest users could get the VM count and domids on the host
Date: Wed, 27 Jul 2016 16:05:56 +0100	[thread overview]
Message-ID: <CAFLBxZbJXCB_bXWEWA1B0TmMn3Rjm-eJ7BpVLKYLX8gZtN5sfA@mail.gmail.com> (raw)
In-Reply-To: <C4F54B75462B9A4B93567D28C587A136AF0569E6@NKGEML515-MBX.china.huawei.com>

On Tue, Jul 12, 2016 at 4:35 AM, Sunguodong <sunguodong@huawei.com> wrote:
> Hi all,
>
> I found a problem in oxenstored, which may be a security issue:
> Guest users could get the VM count and domids on the host by a sniffing method.
>
> You can reproduce it like this:
> (1) Create a VM, e.g. CentOS 7.0 64bit
> (2) Install xen tools in VM, excute cmds:
>     yum install centos-release-xen; yum install
> (3) Use xenstore-ls to sniff, excute cmds:
>     for((i=1;i<=1000;i++));do `xenstore-ls /local/domain/$i 1>>1.txt 2>>2.txt`; done
>     then check 2.txt, speculate according the error message. example:
>         xenstore-ls: xs_directory (/local/domain/17): No such file or directory
>                 ---which means dom 17 does not exist
>         xenstore-ls: xs_directory (/local/domain/19): Permission denied
>                 ---which means dom 19 exists
>     Count the number of "Permission denied" and we get the VM count on the host.
>
> I tried xen-4.2 and xen-4.6, same result with above.
>
> But when I use c-xenstored on xen-4.2, all error messages are "Permission denied",
> so there is no way to get any info about other domains on the host.
>
> In func "get_node" of c-xenstored, it will clean up the errno before return:
>         /* Clean up errno if they weren't supposed to know. */
>         if (!node)
>                 errno = errno_from_parents(conn, name, errno, perm);
>         return node;
> but in oxenstored, there is no such code like this. So, I think this part was missed
> when we upgraded c-xenstored to oxenstored.
>
> Please confirm.
>
> Looking forward to your reply, thank you!

Sundong,

Thanks for your report.  At the moment there are actually a fairly large
number of ways to discover active domain IDs through hypercalls as well.
So we will not be treating this as a critical vulnerability.

However, it's always better to make life harder for attackers, so I'm
sure a patch to change oxenstored's behavior would be welcome.
Otherwise, we'll be putting this on a list of improvements to make at
some point.

Also, for future reference, if you find what you think may be a security
vulnerability, please report it directly to the XenProject Securty Team
at security@xenproject.org -- even if you're not sure that it is a
vulnerability yet.  Part of our job is to help figure out if there
really is a vulnerability or not.

Thanks,
 - The XenProject Security Team

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel