PASZTOR Gyorgy
2013-Oct-22 09:52 UTC
[Pkg-xen-devel] Bug#727100: domain doesn't reboot with xl toolstack
Package: xen-utils-4.1 Version: 4.1.4-3+deb7u1 Severity: important Tags: security patch When you use xl toolstack, you can't reboot domUs. When you switch back to xm toolstack, than reboot works again. I think the problem with the debian packaged version is the same as in this thread: http://lists.xen.org/archives/html/xen-devel/2011-09/msg01289.html I also think it's a security issue, since this is kind of a DoS from the viewpoint of a domU. In that thread, Ian Campbel also provided a patch, which might work for the debian version too. (I haven't tested yet.) Cheers, Gy?rgy P?SZTOR -- System Information: Debian Release: 7.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=hu_HU.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages xen-utils-4.1 depends on: ii e2fslibs 1.42.5-1.1 ii libc6 2.13-38 ii libgnutls26 2.12.20-7 ii libncurses5 5.9-10 ii libpci3 1:3.1.9-6 ii libtinfo5 5.9-10 ii libuuid1 2.20.1-5.3 ii libxen-4.1 4.1.4-3+deb7u1 ii libxenstore3.0 4.1.4-3+deb7u1 ii python 2.7.3-4+deb7u1 ii python2.7 2.7.3-6 ii xen-utils-common 4.1.4-3+deb7u1 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages xen-utils-4.1 recommends: ii bridge-utils 1.5-6 ii qemu-keymaps 1.1.2+dfsg-6a ii qemu-utils 1.1.2+dfsg-6a ii xen-hypervisor-4.1-amd64 [xen-hypervisor-4.1] 4.1.4-3+deb7u1 Versions of packages xen-utils-4.1 suggests: pn xen-docs-4.1 <none> -- no debconf information -------------- next part -------------- A non-text attachment was scrubbed... Name: xl-migration-reboot.ian.patch Type: text/x-diff Size: 708 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20131022/e9fb0bfe/attachment.patch>
Ian Campbell
2013-Oct-22 10:17 UTC
[Pkg-xen-devel] Bug#727100: Bug#727100: domain doesn't reboot with xl toolstack
On Tue, 2013-10-22 at 11:52 +0200, PASZTOR Gyorgy wrote:> When you use xl toolstack, you can't reboot domUs. > When you switch back to xm toolstack, than reboot works again. > I think the problem with the debian packaged version is the same as in > this thread: > http://lists.xen.org/archives/html/xen-devel/2011-09/msg01289.html > I also think it's a security issue, since this is kind of a DoS from > the viewpoint of a domU.The only people who can migrate a domain in any sensible deployment would be host administrator or maybe the VM admin. So there is no security aspect since they already more than privileged enough to simply destroy the domain if they wanted. The status of xl in 4.1 was "try it and if it works for you great, otherwise stick with xm". This particular issue is already fixed in newer Xen, which is good. FWIW this was fixed by git commit 062ef262f9df upstream. Looks like it was fixed in 4.2-rc1.
PÁSZTOR György
2013-Oct-22 10:49 UTC
[Pkg-xen-devel] Bug#727100: Bug#727100: domain doesn't reboot with xl toolstack
Hi, "Ian Campbell" <ijc at hellion.org.uk> ?rta 2013-10-22 11:17-kor:> On Tue, 2013-10-22 at 11:52 +0200, PASZTOR Gyorgy wrote: > > When you use xl toolstack, you can't reboot domUs. > > When you switch back to xm toolstack, than reboot works again. > > I think the problem with the debian packaged version is the same as in > > this thread: > > http://lists.xen.org/archives/html/xen-devel/2011-09/msg01289.html > > I also think it's a security issue, since this is kind of a DoS from > > the viewpoint of a domU. > > The only people who can migrate a domain in any sensible deployment > would be host administrator or maybe the VM admin. So there is no > security aspect since they already more than privileged enough to simply > destroy the domain if they wanted.I didn't mention migrate, I wrote about reboot. However if the domU's admin don't have host admin right's, just want to reboot, then it'll fail, and his machine will remain shut down, until host admin starts it again... What is this, if not a denial of a service? PS.: I understand that 4.1/xl is just 'try and use if works' in Debian 7.0, but if your patch works, I don't see a reason, why it couldn't applied, and pushed through proposed-updates, and if a wider userbase tested it, it could be incorporated into the next point release of Wheezy. Cheers, Gy?rgy
Debian Bug Tracking System
2014-Aug-10 12:03 UTC
[Pkg-xen-devel] Bug#727100: marked as done (domain doesn't reboot with xl toolstack)
Your message dated Sun, 10 Aug 2014 12:00:17 +0000 with message-id <E1XGRnN-0007aq-75 at franck.debian.org> and subject line Bug#727100: fixed in xen 4.4.0-1 has caused the Debian Bug report #727100, regarding domain doesn't reboot with xl toolstack to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 727100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727100 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: PASZTOR Gyorgy <pasztor at linux.gyakg.u-szeged.hu> Subject: domain doesn't reboot with xl toolstack Date: Tue, 22 Oct 2013 11:52:02 +0200 Size: 5026 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20140810/656d5e58/attachment.mht> -------------- next part -------------- An embedded message was scrubbed... From: Bastian Blank <waldi at debian.org> Subject: Bug#727100: fixed in xen 4.4.0-1 Date: Sun, 10 Aug 2014 12:00:17 +0000 Size: 9103 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20140810/656d5e58/attachment-0001.mht>
Apparently Analagous Threads
- Bug#727100: Bug#727100: domain doesn't reboot with xl toolstack
- Bug#727100: Bug#727100: domain doesn't reboot with xl toolstack
- Bug#744157: VNC parameters can be set only globally using xl
- Bug#721345: xcp-xapi: xl pci-attach is called by xapi in a PCI passthrough attempt. An error is raised due to the use of xapi and the PCI device cannot be attached to the VM.
- Bug#744160: xl.conf ambiguity