Hi all,
I found a problem in oxenstored, which may be a security issue:
Guest users could get the VM count and domids on the host by a sniffing method.
You can reproduce it like this:
(1) Create a VM, e.g. CentOS 7.0 64bit
(2) Install xen tools in VM, excute cmds:
yum install centos-release-xen; yum install
(3) Use xenstore-ls to sniff, excute cmds:
for((i=1;i<=1000;i++));do `xenstore-ls /local/domain/$i 1>>1.txt 2>>2.txt`;
done
then check 2.txt, speculate according the error message. example:
xenstore-ls: xs_directory (/local/domain/17): No such file or directory
---which means dom 17 does not exist
xenstore-ls: xs_directory (/local/domain/19): Permission denied
---which means dom 19 exists
Count the number of "Permission denied" and we get the VM count on the host.
I tried xen-4.2 and xen-4.6, same result with above.
But when I use c-xenstored on xen-4.2, all error messages are "Permission
denied",
so there is no way to get any info about other domains on the host.
In func "get_node" of c-xenstored, it will clean up the errno before return:
/* Clean up errno if they weren't supposed to know. */
if (!node)
errno = errno_from_parents(conn, name, errno, perm);
return node;
but in oxenstored, there is no such code like this. So, I think this part was
missed
when we upgraded c-xenstored to oxenstored.
Please confirm.
Looking forward to your reply, thank you!
Regards,
Jason
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
