OS-6682: bhyve zones can destroy any VM

Resolution

Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2018-03-13T11:56:07.407Z)

Fix Versions

2018-03-15 Nibelheim (Release Date: 2018-03-15)

Related Issues

Related Links

Description

VMM_DESTROY_VM does not check ->sc_zone against the current zone cred, so a zone can destroy any VM if it can guess the name.

Comments

Comment by Jerry Jelinek
Created at 2018-02-23T14:57:39.360Z
I have a fix for this, but the actual behavior is not as bad as it first seems, since within the vmm_do_vm_destroy_locked function we're going to return EBUSY if a compromised zone attacks another one.

Comment by Jerry Jelinek
Created at 2018-02-23T15:48:31.013Z
Updated at 2018-02-23T15:56:23.684Z
To test this I wrote a small test program which does a zone_enter into a given zone, then issues the VMM_DESTROY_VM ioctl against a specific vmm name (SYSbhyve-21) on my test setup. I then target that test program into a different bhyve branded zone. I used DTrace to confirm that before the fix we're going into vmmdev_do_vm_destroy(SYSbhyve-21), but after the fix we get EPERM out of vmmdev_do_vm_destroy. I also verified that normal zone halt and reboot work as expected, both from the CLI and from within the VM.

Comment by Jira Bot
Created at 2018-03-13T11:55:36.662Z
illumos-joyent commit b13e485c93c36fd37d5470756bc0f7d7bd44d018 (branch master, by Jerry Jelinek)

OS-6682 bhyve zones can destroy any VM
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Reviewed by: Mike Gerdts <mike.gerdts@joyent.com>
Approved by: Patrick Mooney <patrick.mooney@joyent.com>