Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
xen.3680
xsa178-0001-libxl-Make-copy-of-every-xs-backend...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa178-0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch of Package xen.3680
References: bsc#979670 CVE-2016-4963 XSA-178 From d0712483981daf5a748c1cd083fe61d8d9ea8102 Mon Sep 17 00:00:00 2001 From: Ian Jackson <ian.jackson@eu.citrix.com> Date: Fri, 29 Apr 2016 16:19:28 +0100 Subject: [PATCH 01/21] libxl: Make copy of every xs backend in /libxl in _generic_add We want to stop libxl trustingly reading information from the backend directory (since this is, of course, writeable by the backend, which might be a semi-trusted driver domain). In principle it is wrong in current libxl for anything to try to divine virtual device configuration from xenstore: the JSON domain config ought to supply that, and xenstore should only tell us which devices actually exist. However: Firstly, there are several existing places where configuration information is retrieved from xenstore rather than JSON. We do not want to reen gineer this in a security patch. Secondly, we want to make a security patch which can be backported to versions of libxl without the JSON configuration machinery. So we take the expedient approach of keeping a copy of the configuration somewhere we trust, namely /libxl. This is obviously fairly low-risk, although it does write significantly more keys in xenstore. In this patch we make this change in libxl__device_generic_add. This is responsible for actually writing the vast majority of device information to xenstore. There are a few loose ends which will be dealt with in a moment. Likewise, changes to readers to use the new location will appear in further patches. This is part of XSA-178. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> --- docs/misc/xenstore-paths.markdown | 4 ++++ tools/libxl/libxl_device.c | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+) Index: xen-4.4.4-testing/docs/misc/xenstore-paths.markdown =================================================================== --- xen-4.4.4-testing.orig/docs/misc/xenstore-paths.markdown +++ xen-4.4.4-testing/docs/misc/xenstore-paths.markdown @@ -396,6 +396,10 @@ Path in xenstore to the frontend, normal Path in xenstore to the backend, normally /local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID +#### /libxl/$DOMID/device/$KIND/$DEVID/$NODE + +Trustworthy copy of /local/domain/$DOMID/backend/$KIND/$DEVID/$NODE. + #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = [n,INTERNAL] The device model version for a domain. Index: xen-4.4.4-testing/tools/libxl/libxl_device.c =================================================================== --- xen-4.4.4-testing.orig/tools/libxl/libxl_device.c +++ xen-4.4.4-testing/tools/libxl/libxl_device.c @@ -167,6 +167,29 @@ retry_transaction: xs_write(ctx->xsh, t, GCSPRINTF("%s/frontend", backend_path), frontend_path, strlen(frontend_path)); libxl__xs_writev(gc, t, backend_path, bents); + + /* + * We make a copy of everything for the backend in the libxl + * path as well. This means we don't need to trust the + * backend. Ideally this information would not be used and we + * would use the information from the json configuration + * instead. But there are still places in libxl that try to + * reconstruct a config from xenstore. + * + * This duplication will typically produces duplicate keys + * which will go out of date, but that's OK because nothing + * reads those. For example, there is usually + * /libxl/$guest/device/$kind/$devid/state + * which starts out containing XenbusStateInitialising ("1") + * just like the copy in + * /local/domain/$driverdom/backend/$guest/$kind/$devid/state + * but which won't ever be updated. + * + * This duplication is superfluous and messy but as discussed + * the proper fix is more intrusive than we want to do now. + */ + rc = libxl__xs_writev(gc, t, libxl_path, bents); + if (rc) goto out; } if (!create_transaction)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor