Commit 971df5ec authored by Henrik Riomar's avatar Henrik Riomar Committed by Milan P. Stanić
Browse files

main/xen: fix XSA-353

This is	CVE-2020-29479
parent a0e02df1
......@@ -207,6 +207,7 @@ options="!strip"
# - CVE-2020-29485 XSA-330
# - CVE-2020-29566 XSA-348
# - CVE-2020-29486 XSA-352
# - CVE-2020-29479 XSA-353
case "$CARCH" in
x86*)
......@@ -308,6 +309,8 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
xsa352.patch
xsa353.patch
xenstored.initd
xenstored.confd
xenconsoled.initd
......@@ -582,6 +585,7 @@ d73b8a7e815601770804029175c068a4331346aa3c137a71cc105684cdded2d13b40a99f67ada614
3ac4b6be70658aad2d9dfd156be92476a81954539aad230b230a360fccc78af596193e4dee4844ac751dacf108d5b3fee82636854a3e608f4c8bbdcf9b3882dc xsa348-4.13-2.patch
b1791c36e0eb0ae6bb89c0529922775e6b9c0ec66cfd99a203bc56ff0ddb071e98ae39e81d4f4d5703149a6e066c0f0dd00283b2cae586429b1fc4d548993d6d xsa348-4.13-3.patch
3fe751d9c802963ec57ffc88a69a08de63f0c45da914b9debc65fd77d5cb407080e7a6e3287a893ccf5c352a2d2786f831458cd302b99d1b3d490e9a7330fbad xsa352.patch
c458c962d9ae45c2fce049e6094923f72dfc87e0a20ef083371215cfe8345f437f556c4efadac841432db8421457eb0a6dea5d93ff148aff2466795125c759e1 xsa353.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
......
From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= <edvin.torok@citrix.com>
Subject: tools/ocaml/xenstored: do permission checks on xenstore root
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This was lacking in a disappointing number of places.
The xenstore root node is treated differently from all other nodes, because it
doesn't have a parent, and mutation requires changing the parent.
Unfortunately this lead to open-coding the special case for root into every
single xenstore operation, and out of all the xenstore operations only read
did a permission check when handling the root node.
This means that an unprivileged guest can:
* xenstore-chmod / to its liking and subsequently write new arbitrary nodes
there (subject to quota)
* xenstore-rm -r / deletes almost the entire xenstore tree (xenopsd quickly
refills some, but you are left with a broken system)
* DIRECTORY on / lists all children when called through python
bindings (xenstore-ls stops at /local because it tries to list recursively)
* get-perms on / works too, but that is just a minor information leak
Add the missing permission checks, but this should really be refactored to do
the root handling and permission checks on the node only once from a single
function, instead of getting it wrong nearly everywhere.
This is XSA-353.
Signed-off-by: Edwin Török <edvin.torok@citrix.com>
Acked-by: Christian Lindig <christian.lindig@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
diff --git a/tools/ocaml/xenstored/store.ml b/tools/ocaml/xenstored/store.ml
index f299ec6461..92b6289b5e 100644
--- a/tools/ocaml/xenstored/store.ml
+++ b/tools/ocaml/xenstored/store.ml
@@ -273,15 +273,17 @@ let path_rm store perm path =
Node.del_childname node name
with Not_found ->
raise Define.Doesnt_exist in
- if path = [] then
+ if path = [] then (
+ Node.check_perm store.root perm Perms.WRITE;
Node.del_all_children store.root
- else
+ ) else
Path.apply_modify store.root path do_rm
let path_setperms store perm path perms =
- if path = [] then
+ if path = [] then (
+ Node.check_perm store.root perm Perms.WRITE;
Node.set_perms store.root perms
- else
+ ) else
let do_setperms node name =
let c = Node.find node name in
Node.check_owner c perm;
@@ -313,9 +315,10 @@ let read store perm path =
let ls store perm path =
let children =
- if path = [] then
- (Node.get_children store.root)
- else
+ if path = [] then (
+ Node.check_perm store.root perm Perms.READ;
+ Node.get_children store.root
+ ) else
let do_ls node name =
let cnode = Node.find node name in
Node.check_perm cnode perm Perms.READ;
@@ -324,9 +327,10 @@ let ls store perm path =
List.rev (List.map (fun n -> Symbol.to_string n.Node.name) children)
let getperms store perm path =
- if path = [] then
- (Node.get_perms store.root)
- else
+ if path = [] then (
+ Node.check_perm store.root perm Perms.READ;
+ Node.get_perms store.root
+ ) else
let fct n name =
let c = Node.find n name in
Node.check_perm c perm Perms.READ;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment