A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary bond configuration properties into OVS or Linux bonding by writing keys with the bond- prefix to PIF.other_config. The nm.ml:216-227 function extracts any key with the bond- prefix, strips the prefix, and passes the remainder as a bond property name with zero validation on property names or values. This enables bond mode changes (e.g., active-backup to balance-slb), bond timer manipulation, and injection of completely invalid parameters causing OVS errors and network disruption.
PIF.other_config is a Map(String, String) field writable by pool-operator with zero map_keys_roles entries. The bond-* key prefix is consumed by the bond creation logic in nm.ml.
The code path:
pool-operator calls PIF.add_to_other_config(bond_master_pif, "bond-mode", "balance-tcp")bring_pif_up, nm.create_bond at nm.ml:216-227 is invokedpif_other_config, filters keys starting with bond-:let overrides = List.filter_map (fun (k, v) ->
if String.starts_with ~prefix:"bond-" k then Some (String.sub_to_end k 5, v)
else None
) master_rc.API.pIF_other_config
ovs-vsctl bond configuration) or Linux bonding with no validationThis allows injection of any string as a bond property name and any string as its value. There is no whitelist of valid bond properties and no validation of values.
Missing RBAC protection. PIF.other_config has zero map_keys_roles entries. All keys, including the bond-* prefix pattern, are writable by pool-operator.
Missing input validation. The nm.ml:216-227 bond override mechanism accepts any key after the bond- prefix as a bond property name. No whitelist of valid bond properties is enforced. No validation of values is performed.
Prefix-based key consumption. The bond- prefix pattern creates an open-ended injection surface - the number of injectable properties is unbounded.
PIF.other_config has highest merge precedence. In the other_config merge chain (nm.ml:112-120), PIF.other_config overrides both Network.other_config and Pool.other_config. A PIF-level bond property override cannot be counteracted at the pool or network level.
| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| Bond mode override | Change bond mode from active-backup to balance-slb, disrupting traffic distribution | pool-operator, bonded PIF | Source-traced |
| Bond timer manipulation | Modify miimon, downdelay, updelay - cause slow failover or false link-down events | pool-operator, bonded PIF | Source-traced |
| Invalid property injection | Inject non-existent bond properties causing OVS errors and bridge instability | pool-operator, bonded PIF (OVS mode) | Source-traced |
| BOC-1 chain | vm-admin uses BOC-1 S3 to self-grant pool-operator, then injects bond properties | vm-admin, BOC-1, bonded PIF | Source-traced |
PIF.other_config for keys with the bond- prefixdisclosure/vendor-detection-guidance.mdPIF.other_config entries for unexpected bond-* keysPIF.other_config changesWhitelist bond properties. Replace the open-ended bond- prefix extraction with a fixed whitelist of known valid bond properties (mode, miimon, updelay, downdelay, lacp-time).
Validate bond property values. For each whitelisted property, validate the value against the acceptable range (e.g., mode must be one of the known bond modes).
Add map_keys_roles. Protect bond-* keys at _R_POOL_ADMIN in datamodel.ml.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
nm.ml:216-227 (bond property override extraction), nm.ml:112-120 (other_config merge precedence), datamodel.ml:2784-2788 (PIF.other_config field definition)disclosure/advisories/poc-security-advisory.md (POC-1)research/investigations/pif-other-config.mdDiscovered and reported by Jakob Wolffhechel, Moksha.