|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] How to crash nics and hosts
Hi again,
I am sorry, forgot to mention the Xen-Version. It's the actual xen-2.0.7
from yesterday.
Regards
Andreas Seuss wrote:
>Hi all,
>
>found some security related stuff on exporting pci devices (maybe
>nothing new)
>A few words ahead: I know that a normal admin never ever would configure
>a machine as I did during testing ;-)
>
>When I reconfigured my testing machine, I wanted to use a different NIC
>for my dom0. So I hid the old pci device from dom0 (to have it available
>for a domU) and dom0 used the device as eth0 that I wanted it to use.
>Bridging for that device was also configured. I accidentally forgot to
>apply those changes to the domU config which used the NIC as its eth0
>before.
>
>So I started up all domUs. They all came up, also the conflicting one. I
>could use the NIC in dom0 and the respective domU. Tried to ping hosts
>from both domains and also downloaded stuff from the internet. When I
>shut down the domU it also crashed eth0 from dom0 (no wonder, same HW).
>The ethernet device was, as far as I know, the only thing that was
>affected. The network in dom0 could not be restarted. Xen-Linux itself
>ran on and I even could start new domains ;-)
>
>Next thing I tried was to see what effects there are, having two domUs
>using the same pci device.
>
>Trying to export a pci device to two domUs (without bridging) worked
>also, except that the domain that started first lost network completely
>while the second domU worked as expected. Shutting one of the domUs down
>crashed the whole machine. Had to reset it.
>
>As long as a privileged domU has a kernel that supports for example NIC
>pci access, it is not even necessary to hide pci devices from dom0. A
>simple parameter (pci = ['00,03,00']) in the domU config is enough to
>lead to undefined and unwanted behaviour.
>
>Maybe someone finds a way to abuse such behaviour? Does it pose a
>possible security threat or can this issue just be disregarded?
>
>I think there should be some kind of check, when starting up a domain of
>whether a pci device is already in use. There is for example a check of
>wether the pci export has the right format before creating a domain.
>Maybe some kind of list in the xend-daemon could do the trick. If a
>domain gets started a test on that list could be performed. If a device
>is listed in here, it's in use and the new domain won't be created.
>
>Another question is, can I still speak of complete virtualization if
>domains have the possibility to access hw directly? (e.g. two domUs with
>each having their own properly configured ethernet device? Not as
>described above ;-))
>
>Regards, Andreas
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@xxxxxxxxxxxxxxxxxxx
>http://lists.xensource.com/xen-users
>
>
>
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|