Xenstore: new domains inheriting existing node permissions

ISSUE DESCRIPTION

Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domain(s) with the same domid.
All Xenstore entries of a guest below /local/domain/<domid> are deleted by Xen tools when a guest is destroyed. Therefore only entries belonging to other guests, referring to the deleted guests, are potentially affected.

IMPACT

In some circumstances, it might be possible for a new guest domain to access resources belonging to a previous domain. The impact would depend on the software in use and the configuration, but might include any of denial of service, information leak, or privilege escalation.

VULNERABLE SYSTEMS

All versions of Xen are in principle vulnerable.
Both Xenstore implementations (C and Ocaml) are vulnerable.
Vulnerable systems are only those running software where one domain is granted access to another’s xenstore nodes, without complete cleanup of those nodes on domain destruction. No such software is enabled in default configurations of upstream Xen.
Therefore upstream Xen, without additional management software (in host or guest(s)), is not vulnerable in the default (host and guest) configuration.