XSA-127

CVE-2015-2751


问题描述

http://xenbits.xen.org/xsa/advisory-127.html

certain domctl operations may be abused to lock up the host:

XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not really correct: Their (mis-)use may result in host lockups.

对domctl的错误使用会造成host被lockup(maybe DoS?)

privilege uncheck (current domain check)


Patch描述

http://xenbits.xen.org/xsa/xsa127.patch

--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -884,6 +884,10 @@ long arch_do_domctl(
     {
         xen_guest_tsc_info_t info;
 
+        ret = -EINVAL;
+        if ( d == current->domain ) /* no domain_pause() */
+            break;
+
         domain_pause(d);
         tsc_get_info(d, &info.tsc_mode,
                         &info.elapsed_nsec,
@@ -899,6 +903,10 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_settscinfo:
     {
+        ret = -EINVAL;
+        if ( d == current->domain ) /* no domain_pause() */
+            break;
+
         domain_pause(d);
         tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode,
                      domctl->u.tsc_info.info.elapsed_nsec,
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -531,7 +531,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
         break;
 
     case XEN_DOMCTL_resumedomain:
-        domain_resume(d);
+        if ( d == current->domain ) /* no domain_pause() */
+            ret = -EINVAL;
+        else
+            domain_resume(d);
         break;
 
     case XEN_DOMCTL_createdomain:

就是判断下domctl的是否是current->domain,如果是则返回,否则会造成host lockup。


Consequence

Domains deliberately given partial management control may be able to deny service to the entire host.

DoS

由于XSA-77将domctl进行了disaggregation,所以只有运行domctl的service会造成DoS。