[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] Backport request "libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap." (Was: Re: [Bug report] Security issue in "xl vcpu-set")

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
From: Ian Campbell <ian.campbell@xxxxxxxxxx>
Date: Mon, 8 Jun 2015 11:44:26 +0100
Cc: stefano.stabellini@xxxxxxxxxxxxx, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>, security@xxxxxxxxxxxxxx, "lwcheng@xxxxxxxxx" <lwcheng@xxxxxxxxx>, Luwei Cheng <chengluwei@xxxxxxxxx>, xen-api@xxxxxxxxxxxxx
Delivery-date: Mon, 08 Jun 2015 10:44:41 +0000
List-id: User and development list for XCP and XAPI <xen-api.lists.xen.org>

On Mon, 2015-06-08 at 11:35 +0100, Ian Jackson wrote:
> Luwei Cheng writes ("Re: Backport request "libxl: In libxl_set_vcpuonline 
> check for maximum number of VCPUs against the cpumap." (Was: Re: [Bug report] 
> Security issue in "xl vcpu-set")"):
> > Some third-part management tools might be built directly above xl.
> > Perhaps they can not rely on "Ctrl-C"..
> 
> In general callers of libxl will not be built to raise SIGINT.  For
> example, if libvirt called this function in a way that triggers the
> bug, there wouldn't be any reasonable way to recover control.
> 
> I'm afraid I'm still not clear about when the failure can be triggered
> by an attacker.

I was able to reproduce by pressing a key at a pygrub prompt to drop to
a prompt and then leaving the guest in that state, where the domain
exists but does not yet have any vcpus etc.

Ian.


_______________________________________________
Xen-api mailing list
Xen-api@xxxxxxxxxxxxx
http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api

Follow-Ups:
- Re: [Xen-API] Backport request "libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap." (Was: Re: [Bug report] Security issue in "xl vcpu-set")
  - From: Ian Jackson

References:
- Re: [Xen-API] [Bug report] Security issue in "xl vcpu-set"
  - From: lwcheng
- Re: [Xen-API] [Bug report] Security issue in "xl vcpu-set"
  - From: Ian Campbell
- [Xen-API] Backport request "libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap." (Was: Re: [Bug report] Security issue in "xl vcpu-set")
  - From: Ian Campbell
- Re: [Xen-API] Backport request "libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap." (Was: Re: [Bug report] Security issue in "xl vcpu-set")
  - From: Luwei Cheng
- Re: [Xen-API] Backport request "libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap." (Was: Re: [Bug report] Security issue in "xl vcpu-set")
  - From: Ian Jackson

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.