XSA-77

none (yet) assigned

问题描述

http://xenbits.xen.org/xsa/advisory-77.html

Disaggregated domain management security status

Xen supports disaggregation of various support and management functions into their own domains; this is often done for security and robustness reasons.

In Xen 4.3 additional functionality was introduced to allow further disaggregation: the Xen Security Modules mechanism was enhanced to make it possible to delegate various domain control hypercalls to particular other domains, rather than only permitting use by dom0.

However the several affected hypercall implementations were originally written to be used only by the totally-privileged dom0, and have not been reviewed for security when exposed to supposedly-only-semi-privileged disaggregated management domains. But such management domains are (in such a design) to be seen as potentially hostile, e.g. due to privilege escalation following exploitation of a bug in the management domain.

The affected hypercalls are:

• __HYPERVISOR_domctl: The majority of the XEN_DOMCTL_* subops are affected. Exceptions are listed below.
• __HYPERVISOR_sysctl: All XEN_SYSCTL_* subops are affected.
• __HYPERVISOR_memory_op: A small number of XENMEM_* subops are affected. See below.
• __HYPERVISOR_tmem_op: All TMEMC_* sub-subops of the TMEM_CONTROL subop are affected.

The majority of the domctls are subject to this issue. Prior to 4.3, only the following domctls were disaggregatable, and they are NOT affected by these problems:

• XEN_DOMCTL_ioport_mapping
  
• XEN_DOMCTL_bind_pt_irq
• XEN_DOMCTL_memory_mapping
  
• XEN_DOMCTL_unbind_pt_irq

The implementations of these were written with semi-trusted callers in mind.

Only the following memory op subops are affected:

• XENMEM_set_pod_target
  
• XENMEM_get_pod_target
• XENMEM_claim_pages

The remainder of the memory ops were written with untrusted or semi-trusted callers in mind.

现在Xen支持将不同hypercall的处理disaggregate到不同的management domain（而不是原来唯一的domain 0）。但是在这个设计中有些之前写好的hypercall只支持运行在totally-privileged dom0，而不能被运行在semi-privileged disaggragated management domain（否则会有privilege escalation的危险）。以上列举了相应的hypercall。

design error

Patch描述

http://xenbits.xen.org/xsa/xsa77-unstable.patch

ist interfaces subject to the security process exception in XSA-77

It is expected that these lists will be whittled away as each interface is audited for safety.

将之前列出的相应的hypercall进行区别处理，保证其被audited。将它们加入xsm-flask。

Consequence

Domains deliberately given partial management control may be able to deny service to the entire host or even escalate their privileges.

DoS, privilege escalation