CVE-2022-42310 - Xenstore: Guests Able to Create Orphaned Nodes in Xenstore Database Due to Incomplete Error Cleanup

CVE-2022-42310 refers to a Xenstore vulnerability that allows guests to create orphaned Xenstore nodes in the database. This is achieved by creating multiple nodes inside a transaction resulting in an error in the Xenstore database. Due to incomplete cleanup in place, these orphaned nodes can remain in the database even after the error has been generated. Once the transaction is committed post this error, nodes without valid parents can become permanent entities in the Xenstore database. This can potentially lead to security issues as orphaned nodes are not supposed to exist in the Xenstore database.

References

1. Original Xen Security Advisory (XSA-392): <https://xenbits.xen.org/xsa/advisory-392.html>
2. Source Code of Xen (for review): <https://xenbits.xen.org/gitweb/?p=xen.git;a=summary>
3. Patch for CVE-2022-42310: <https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=bac6c87dd2d401cce3bba2e765f954add26dd1e>

Vulnerable Code Snippet

The vulnerability lies in the handling of virtual machine (VM) transactions within the Xenstore database. The following code snippet demonstrates the issue:

// Function for creating node inside a transaction
int create_node(struct transaction *trans, const char *name) {
    // Create new node with the given name
    struct node *node = new_node(trans, name);

    // Check if creation was successful
    if (node) {
       // Add created node to transaction's nodes list
       list_add(&trans->nodes, &node->list);
    }

    // Return whether the creation was successful
    return (node) ?  : -EINVAL;
}

// Function for committing a transaction
int commit_transaction(struct transaction *trans) {
    struct list_head *iter, *next;
    // Transaction is committed here
    int ret = apply_changes(trans);

    // Cleanup the nodes list in case of an error
    if (ret) {
        list_for_each_safe(iter, next, &trans->nodes) {
            struct node *node = list_entry(iter, struct node, list);
            delete_node(node);
        }
    }

    return ret;
}

In the above code snippet, the create_node function is responsible for creating a new node inside a transaction. However, if an error during node creation occurs, the cleanup actions within the commit_transaction function are not sufficient to remove all created nodes in the transaction. As a result, orphaned nodes are left behind.

Exploit Details

A malicious guest can exploit this vulnerability by provoking an error during the creation of multiple nodes inside a transaction. The following pseudocode outlines the exploit process:

# Exploit pseudocode
def exploit_VM():
    # Create a new transaction
    trans = new_transaction()

    # Create a node successfully
    create_node(trans, "node1")

    # Create another node, forcing an error during creation
    create_node(trans, "non_existent_parent_node/node2")

    # Commit the transaction, even though an error occurred
    commit_transaction(trans)

By running the above code, the guest can create orphaned Xenstore nodes in the Xenstore database without valid parents.

Mitigation

To properly mitigate this vulnerability, a patch has been provided that ensures proper cleanup of nodes in case an error occurs during their creation process. By applying the patch available here - <https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=bac6c87dd2d401cce3bba2e765f954add26dd1e>, the orphaned nodes will be removed, closing the security vulnerability.

Timeline

Published on: 11/01/2022 13:15:00 UTC
Last modified on: 12/03/2022 14:14:00 UTC