A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can exhaust a guest domain's xenstore quota by injecting a large number of vm-data/* keys into VM.xenstore_data. Xenstore enforces a per-domain quota (default 25 MB shared with guest agent data). Keys written to VM.xenstore_data are written to guest xenstore at /local/domain/<domid>/vm-data/ by xenopsd at domain.ml:604-624. When the injected data consumes the guest's quota, the guest's own xenstore operations fail, disrupting PV drivers, network configuration, and guest agent communication. The VM.xenstore_data field has zero map_keys_roles entries and no value length limits.
VM.xenstore_data is a Map(String, String) field writable by vm-admin with zero per-key RBAC. XAPI imposes no limits on the number of keys, key name length, or value length. The only filter is the filtered_xsdata prefix check at domain.ml:164-170 which accepts keys starting with vm-data/ or FIST/.
The exhaustion path:
vm-admin writes hundreds of large vm-data/* entries via XAPI:VM.add_to_xenstore_data(vm, "vm-data/flood-0001", "<large_string>")
VM.add_to_xenstore_data(vm, "vm-data/flood-0002", "<large_string>")
...
message_forwarding.ml:2092-2099)set_xsdata at domain.ml:2250-2255domain.ml:604-624ENOSPC or equivalentThe guest xenstore quota is shared between all consumers in the domain. Legitimate uses include PV driver configuration, network interface metadata, and guest agent communication. When vm-admin-injected data consumes this quota, the guest loses the ability to function correctly.
No size limits. XAPI imposes no limit on the number of keys, key name length, or value length in VM.xenstore_data. The database accepts arbitrarily large maps.
Missing RBAC protection. VM.xenstore_data has zero map_keys_roles entries. All key prefixes are writable by vm-admin.
Shared quota with guest services. Xenstore uses a per-domain quota that is shared between hypervisor-injected data and guest-generated data. There is no reservation or partitioning mechanism.
No quota awareness in XAPI. XAPI does not check whether the injected data will exceed the guest's xenstore quota before writing. The quota is enforced by xenstore itself, after the write attempt.
| Scenario | Impact | Pre-conditions | Status |
|---|---|---|---|
| Quota exhaustion | Inject large vm-data entries, exhausting guest xenstore quota | vm-admin | Source-traced |
| PV driver disruption | Quota exhaustion prevents PV drivers from writing to xenstore, causing network/disk failures | vm-admin, running VM | Modeled |
| Guest agent denial | Guest agent cannot report IP addresses, OS version, or metrics | vm-admin, running VM | Modeled |
| BOC-1 chain | vm-admin uses BOC-1 S3 to bulk-exhaust xenstore quotas across all VMs | vm-admin, BOC-1 | Source-traced |
VM.xenstore_data size (total key+value bytes) per VMVM.xenstore_data mapsdisclosure/vendor-detection-guidance.mdVM.xenstore_data for VMs with unusually large mapsvm-data/* entries not required for guest operationAdd size limits. Enforce maximum key count, key name length, and value length at the XAPI layer before writing to the database.
Add quota awareness. Before writing VM.xenstore_data to guest xenstore, check whether the data will exceed the guest's xenstore quota and reject the write if so.
Partition xenstore quota. Reserve a minimum quota for guest-generated xenstore entries separate from hypervisor-injected data.
Upstream patches exist. They are held privately pending coordinated disclosure.
Disclosure:
domain.ml:164-170 (allowed_xsdata_prefixes prefix filter), domain.ml:604-624 (vm-data dir created with rwperm, data written), domain.ml:2250-2255 (live update writes data to guest xenstore), message_forwarding.ml:2092-2099 (zero validation on write), datamodel_vm.ml:2818-2831 (VM.xenstore_data field definition)disclosure/advisories/xsd-security-advisory.md (XSD-4)research/investigations/vm-xenstore-data.mdDiscovered and reported by Jakob Wolffhechel, Moksha.