Xen project Mailing List

Security support status of xnf(4) and xbf(4)

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

From: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>

Date: Fri, 25 Mar 2022 12:13:59 -0400

Cc: Xen developer discussion <xen-devel@xxxxxxxxxxxxxxxxxxxx>, OpenBSD technical mailing list <tech@xxxxxxxxxxx>

Delivery-date: Fri, 25 Mar 2022 16:14:35 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Linux’s netfront and blkfront drivers recently had a security vulnerability (XSA-396) that allowed a malicious backend to potentially compromise them. In follow-up audits, I found that OpenBSD’s xnf(4) currently trusts the backend domain. I reported this privately to Theo de Raadt, who indicated that OpenBSD does not consider this to be a security concern. This is obviously a valid position for the OpenBSD project to take, but it is surprising to some (such as myself) from the broader Xen ecosystem. Standard practice in the Xen world is that bugs in frontends that allow a malicious backend to cause mischief *are* considered security bugs unless there is explicit documentation to the contrary. As such, I believe this deserves to be noted in xnf(4) and xbf(4)’s man pages. If the OpenBSD project agrees, I am willing to write a patch, but I have no experience with mandoc so it might take a few tries. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.