Bug 464818 - libvirt/virsh access unsafe data from xenstored
libvirt/virsh access unsafe data from xenstored
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libvirt (Show other bugs)
5.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Veillard
Virtualization Bugs
:
Depends On: CVE-2008-4405
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-30 13:22 EDT by Daniel Berrange
Modified: 2009-12-14 16:13 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-22 08:04:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2008-09-30 13:22:05 EDT
Description of problem:
The location /local/domain/$DOMID  in xenstore is fully writable by guest virtual machines.

Unfortunately, libvirt reads a few pieces of data from here & uses them in ways which are potentially unsafe.

Specifically we read

 - VNC port for graphical framebuffer
 - TTY path for text console

This info is expoed in the libvirt XML, which is then used by other virt enabled applications like virt-manager, virt-install. It is possible that a malicious guest can write bogus data into xenstore which would cause applications using libvirt to perform unsafe actions.

Version-Release number of selected component (if applicable):
libvirt-0.3.3-7.el5

How reproducible:
Always

Steps to Reproduce:
1. Inside a gueest

 #yum install xen
 # xenstore-write /local/domain/GUEST-DOMID/console/tty /i/am/the/evil/guest




2. On the host

  virsh dumpxml GUEST-NAME | grep console

  
Actual results:
# virsh dumpxml rhel5pv | grep console
    <console tty='/i/am/the/evil/guest'/>


Expected results:
# virsh dumpxml rhel5pv | grep console
    <console tty='/dev/pty/3'/>

ie, console tty is not impacted by guest. Likewise for VNC port

Additional info:
Comment 1 Daniel Berrange 2008-10-02 07:39:13 EDT
Upstream xen has revised their original patch dealing with this problem. Instead of moving the 'console' area within xenstore, it is now made read-only to the guest

 http://xenbits.xensource.com/staging/xen-3.3-testing.hg?rev/e0e17216ba70

So the TTY path problem should no longer be an security issue wrt libvirt. We still need to check other usage of xenstore in libvirt to make sure its not using untrusted data. Hopefully nothing will need changing, but I'll leave this open for now, until we've audited libvirt's use of xenstore.
Comment 2 Daniel Berrange 2009-01-22 08:04:53 EST
Libvirt usage of XenStore is now safe, following the fixes to XenStore permissions for guest areas.

Note You need to log in before you can comment on or make changes to this bug.