| Reported on: | 20141208 |
|---|---|
| Published on: | 20141208 |
| Fixed on: | 20141209 |
| Reported by: | Peter Krempa |
|---|---|
| Patched by: | Peter Krempa |
When using fine-grained ACLs to restrict users from migrating domains, a logic bug could leave the domain locked and prevent further operation on that domain.
A client that lacks the domain:migrate fine-grained ACL could use a failed migration attempt to trigger a denial of service against a more privileged user.
The bug is mitigated by the fact that the "perform" and "finish" states of migration can generally be reached only after a successful "begin" or "prepare" state, both of which also require the same domain:migrate permission. Furthermore, the "prepare" state also requires the domain:write permission, and any user which has been granted that permission is already deemed to have full control over the system; even if domain:migrate permission is dynamically denied after migration has already started in order to trigger the flaw, an attack by such a user generally does not constitute a denial of service against a more privileged user. On the other hand, a malicious client that has access to the read-write socket via only a weaker privilege such as domain:read can send RPC commands out of order, to attempt a "perform" without going through the prerequisite states, and thereby trigger the bug in a manner that forms a denial of service. Read-only clients cannot trigger the problem, even via bad RPC commands. It is possible to avoid the bug by not using the fine-grained access control mechanism.