[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] How to crash nics and hosts

Hi all,

found some security related stuff on exporting pci devices (maybe
nothing new)
A few words ahead: I know that a normal admin never ever would configure
a machine as I did during testing ;-)

When I reconfigured my testing machine, I wanted to use a different NIC
for my dom0. So I hid the old pci device from dom0 (to have it available
for a domU) and dom0 used the device as eth0 that I wanted it to use.
Bridging for that device was also configured. I accidentally forgot to
apply those changes to the domU config which used the NIC as its eth0

So I started up all domUs. They all came up, also the conflicting one. I
could use the NIC in dom0 and the respective domU. Tried to ping hosts
from both domains and also downloaded stuff from the internet. When I
shut down the domU it also crashed eth0 from dom0 (no wonder, same HW).
The ethernet device was, as far as I know, the only thing that was
affected. The network in dom0 could not be restarted. Xen-Linux itself
ran on and I even could start new domains ;-)

Next thing I tried was to see what effects there are, having two domUs
using the same pci device.

Trying to export a pci device to two domUs (without bridging) worked
also, except that the domain that started first lost network completely
while the second domU worked as expected. Shutting one of the domUs down
crashed the whole machine. Had to reset it.

As long as a privileged domU has a kernel that supports for example NIC
pci access, it is not even necessary to hide pci devices from dom0. A
simple parameter (pci = ['00,03,00']) in the domU config is enough to
lead to undefined and unwanted behaviour.

Maybe someone finds a way to abuse such behaviour? Does it pose a
possible security threat or can this issue just be disregarded?

I think there should be some kind of check, when starting up a domain of
whether a pci device is already in use. There is for example a check of
wether the pci export has the right format before creating a domain.
Maybe some kind of list in the xend-daemon could do the trick. If a
domain gets started a test on that list could be performed. If a device
is listed in here, it's in use and the new domain won't be created.

Another question is, can I still speak of complete virtualization if
domains have the possibility to access hw directly? (e.g. two domUs with
each having their own properly configured ethernet device? Not as
described above ;-))

Regards, Andreas

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.