libxl fails to honour readonly flag on disks with qemu-xen

2015-09-22T10:00:00
ID XSA-142
Type xen
Reporter Xen Project
Modified 2015-09-22T15:15:00

Description

ISSUE DESCRIPTION

Callers of libxl can specify that a disk should be read-only to the guest. However, there is no code in libxl to pass this information to qemu-xen (the upstream-based qemu); and indeed there is no way in qemu to make a disk read-only. The vulnerability is exploitable only via devices emulated by the device model, not the parallel PV devices for supporting PVHVM. Normally the PVHVM device unplug protocol renders the emulated devices inaccessible early in boot.

IMPACT

Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images. CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected.

VULNERABLE SYSTEMS

Only systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the libxl driver.) All versions of libxl which support qemu-xen are vulnerable. The affected code was introduced in Xen 4.1. If the host and guest together usually support PVHVM, the issue is exploitable only if the malicious guest administrator has control of the guest kernel or guest kernel command line.