[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] How to crash nics and hosts

Hi again,

I am sorry, forgot to mention the Xen-Version. It's the actual xen-2.0.7
from yesterday.


Andreas Seuss wrote:

>Hi all,
>found some security related stuff on exporting pci devices (maybe
>nothing new)
>A few words ahead: I know that a normal admin never ever would configure
>a machine as I did during testing ;-)
>When I reconfigured my testing machine, I wanted to use a different NIC
>for my dom0. So I hid the old pci device from dom0 (to have it available
>for a domU) and dom0 used the device as eth0 that I wanted it to use.
>Bridging for that device was also configured. I accidentally forgot to
>apply those changes to the domU config which used the NIC as its eth0
>So I started up all domUs. They all came up, also the conflicting one. I
>could use the NIC in dom0 and the respective domU. Tried to ping hosts
>from both domains and also downloaded stuff from the internet. When I
>shut down the domU it also crashed eth0 from dom0 (no wonder, same HW).
>The ethernet device was, as far as I know, the only thing that was
>affected. The network in dom0 could not be restarted. Xen-Linux itself
>ran on and I even could start new domains ;-)
>Next thing I tried was to see what effects there are, having two domUs
>using the same pci device.
>Trying to export a pci device to two domUs (without bridging) worked
>also, except that the domain that started first lost network completely
>while the second domU worked as expected. Shutting one of the domUs down
>crashed the whole machine. Had to reset it.
>As long as a privileged domU has a kernel that supports for example NIC
>pci access, it is not even necessary to hide pci devices from dom0. A
>simple parameter (pci = ['00,03,00']) in the domU config is enough to
>lead to undefined and unwanted behaviour.
>Maybe someone finds a way to abuse such behaviour? Does it pose a
>possible security threat or can this issue just be disregarded?
>I think there should be some kind of check, when starting up a domain of
>whether a pci device is already in use. There is for example a check of
>wether the pci export has the right format before creating a domain.
>Maybe some kind of list in the xend-daemon could do the trick. If a
>domain gets started a test on that list could be performed. If a device
>is listed in here, it's in use and the new domain won't be created.
>Another question is, can I still speak of complete virtualization if
>domains have the possibility to access hw directly? (e.g. two domUs with
>each having their own properly configured ethernet device? Not as
>described above ;-))
>Regards, Andreas
>Xen-users mailing list

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.