CVE-2015-2751
http://xenbits.xen.org/xsa/advisory-127.html
certain domctl operations may be abused to lock up the host:
XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not really correct: Their (mis-)use may result in host lockups.
对domctl的错误使用会造成host被lockup(maybe DoS?)
privilege uncheck (current domain check)
http://xenbits.xen.org/xsa/xsa127.patch
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -884,6 +884,10 @@ long arch_do_domctl(
{
xen_guest_tsc_info_t info;
+ ret = -EINVAL;
+ if ( d == current->domain ) /* no domain_pause() */
+ break;
+
domain_pause(d);
tsc_get_info(d, &info.tsc_mode,
&info.elapsed_nsec,
@@ -899,6 +903,10 @@ long arch_do_domctl(
case XEN_DOMCTL_settscinfo:
{
+ ret = -EINVAL;
+ if ( d == current->domain ) /* no domain_pause() */
+ break;
+
domain_pause(d);
tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode,
domctl->u.tsc_info.info.elapsed_nsec,
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -531,7 +531,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
break;
case XEN_DOMCTL_resumedomain:
- domain_resume(d);
+ if ( d == current->domain ) /* no domain_pause() */
+ ret = -EINVAL;
+ else
+ domain_resume(d);
break;
case XEN_DOMCTL_createdomain:
就是判断下domctl的是否是current->domain
,如果是则返回,否则会造成host lockup。
Domains deliberately given partial management control may be able to deny service to the entire host.
DoS
由于XSA-77将domctl进行了disaggregation,所以只有运行domctl的service会造成DoS。