Description Yury German 2017-04-11 18:47:30 UTC

Xen Security Advisory XSA-206
                              version 9

            xenstore denial of service via repeated update

UPDATES IN VERSION 9
====================

More exhaustive testing discovered a further bug in the oxenstored
patches: if no transactions are performed (ie, only atomic writes),
the new in-memory history record can grow without bound.  This means
that an attacker could be able to render oxenstored slow and
eventually unuseable, and/or run dom0 out of memory.  Running any
transaction (even one which aborts) will clear the history, so
periodically running the command
   xenstore-write /xsa206-v7-leak 1 /xsa206-v7-leak 2
will mitigate the problem.

This bug is fixed in the new final patch attached to this version,
 "oxenstored: trim history in the frequent_ops function"
The other patches remain unchanged.

ISSUE DESCRIPTION
=================

xenstored supports transactions, such that if writes which would
invalidate assumptions of a transaction occur, the entire transaction
fails.  Typical response on a failed transaction is to simply retry
the transaction until it succeeds.

Unprivileged domains may issue writes to xenstore which conflict with
transactions either of the toolstack or of backends such as the driver
domain. Depending on the exact timing, repeated writes may cause
transactions made by these entities to fail indefinitely.

IMPACT
======

Unprivileged guests may be able to stall progress of the control
domain or driver domain, possibly leading to a Denial of Service (DoS)
of the entire host.

In most systems, the impact is limited to the delay or prevention of
control operations (such as domain creation, reconfiguration,
configuration enquiry, or destruction).

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Both "cxenstored" (the version of xenstored written in C) and
"oxenstored" (the version of xenstored written in ocaml) are
vulnerable.  oxenstored in Xen 4.7 and later is more difficult to
exploit because it has more fine-grained detection of conflicts.

MITIGATION
==========

If the rogue domain(s) can be identified, it will usually be possible
to pause them with "xl pause" and/or destroy them with "xl destroy".
Note that if the toolstack is not simply "xl", the toolstack may be
confused by use of "xl" to pause or destroy domains.

The output of commands such as "xl top" and "xenstore-ls -fp" may be
helpful to find the rogue domain(s).

When the rogue domain(s) are paused or destroyed, the stuck operations
will become unstuck.

CREDITS
=======

This issue was discovered by Jürgen Groß of SUSE.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue by
limiting the rate at which it is possible to invalidate transactions.

C xenstored
- -----------

Only the first of the patches is strictly necessary to solve the
issue; the second patch adds logging for when the situation occurs, so
may be useful in detecting attacks or debugging issues.

ocaml xenstored
- ---------------

The oxenstored patches depend on some patches to reduce false
conflicts in transactions that were introduced in Xen 4.7.  The
patches for 4.4-4.6 include backported versions of these patches in
addition to backported versions of the ratelimiting patches.

Xen 4.4 requires some further backports in order to allow the
ratelimiting patches to apply cleanly without significant reworking.
These have been kept to a minimum.

Identification of patch files
- -----------------------------

The patch number ranges are:
xen-unstable, 4.8, and 4.7:
  0001-0002: cxenstored
  0003-0016: oxenstored ratelimiting

4.6, 4.5:
  0001-0002: cxenstored
  0003-0010: oxenstored avoidance of needless conflicts
  0011-0024: oxenstored ratelimiting

4.4:
  0001-0002: cxenstored
  0003-0009: oxenstored further prerequisites
  0009-0017: oxenstored avoidance of needless conflicts
  0018-0031: oxenstored ratelimiting

xsa206-unstable/*.patch  xen-unstable
xsa206-4.8/*.patch       xen-4.8
xsa206-4.7/*.patch       xen-4.7
xsa206-4.6/*.patch       xen-4.6
xsa206-4.5/*.patch       xen-4.5
xsa206-4.4/*.patch       xen-4.4