[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-announce] Xen Security Advisory 142 - libxl fails to honour readonly flag on disks with qemu-xen



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-142

        libxl fails to honour readonly flag on disks with qemu-xen

ISSUE DESCRIPTION
=================

Callers of libxl can specify that a disk should be read-only to the
guest.  However, there is no code in libxl to pass this information to
qemu-xen (the upstream-based qemu); and indeed there is no way in qemu
to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated devices
inaccessible early in boot.

IMPACT
======

Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest
as CDROMs, regardless of the nature of the backing storage on the
host) are not affected.

VULNERABLE SYSTEMS
==================

Only systems using qemu-xen (rather than qemu-xen-traditional) as the
device model version are vulnerable.

Only systems using libxl or libxl-based toolstacks are vulnerable.
(This includes xl, and libvirt with the libxl driver.)

All versions of libxl which support qemu-xen are vulnerable.  The
affected code was introduced in Xen 4.1.

If the host and guest together usually support PVHVM, the issue is
exploitable only if the malicious guest administrator has control of
the guest kernel or guest kernel command line.

MITIGATION
==========

Switching to qemu-xen-traditional will avoid this vulnerability.
This can be done with
   device_model_version="qemu-xen-traditional"
in the xl configuration file.

Using stub domain device models (which necessarily involves switching
to qemu-xen-traditional) will also avoid this vulnerability.
This can be done with
   device_model_stubdomain_override=true
in the xl configuration file.

Either of these mitigations is liable to have other guest-visible
effects or even regressions.

It may be possible, depending on the configuration, to make the
underlying storage object readonly, or to make it reject writes.

RESOLUTION
==========

There is no reasonable resolution because Qemu does not (at the time
of writing) support presenting a read-only block device to a guest as
a disk.

The attached patch corrects the weakness in the libxl code, by
rejecting the unsupported configurations, rather than allowing them to
run but with the device perhaps writeable by the guest.  Applying it
should increase confidence and avoid future configuration errors, but
will break affected configurations specifying read-only disk devices.

xsa142-4.6.patch                 Xen 4.6.x and later
xsa142-4.5.patch                 Xen 4.3.x to 4.5.x inclusive

$ sha256sum xsa142*.patch
9ec0649f39720bc692be03c87ebea0506d6ec574f339fc745e41b31643240124  
xsa142-4.5.patch
65f01167bfc141048261f56b99ed9b48ec7ff6e98155454ced938a17ec20e7d1  
xsa142-4.6.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was discussed in public in the Red Hat bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=1257893

CREDITS
=======

Thanks to Michael Young of Durham University for bring this problem to
our attention.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWASalAAoJEIP+FMlX6CvZkVgIAKUhbsVLSK95wRJzNdOrcVgU
c1lCtgZRX2kbc9f05rxbNyadVsQYyT1/i+0wErAsXUKWgNKiKYUFAUaN8382Uim0
1UaJVEcjj5PWWB8rT6EoXqK84ODaLfUwXQosBEhbwKTEMMb0GQu2tIlh4Bc58KI6
SzMFF2IQPvKcHGQFGLmPmxUARXjHXN7WXrAlFn9hXfNmepHnJsOR2MjvFvucYgr0
2tTiZBkRVt8XRH7Ll1nKFD7zu9LlfHA8WHAdddNCawkSO9mxbc58k+0zg1i2gaMx
locAjLK8UXYaFJEi52kqz7qGWItXfFMY8bTmAhexMpbwUu170stsWQfCxyGiWtU=
=BFh1
-----END PGP SIGNATURE-----

Attachment: xsa142-4.5.patch
Description: Binary data

Attachment: xsa142-4.6.patch
Description: Binary data

_______________________________________________
Xen-announce mailing list
Xen-announce@xxxxxxxxxxxxx
http://lists.xen.org/xen-announce

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.