nbd mounter leaks nbd devices
Bug #1088083 reported by
Michael Still
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Michael Still |
Bug Description
If the nbd device is in used by a non-nova-compute user, it is leaked forever.
information type: | Public → Private Security |
tags: | added: security |
information type: | Public Security → Public |
Changed in nova: | |
milestone: | none → grizzly-2 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | grizzly-2 → 2013.1 |
To post a comment you must log in.
Ok, I can see at least one race condition and a leak in the current version of the nbd code (nova/virt/ disk/mount/ nbd.py) . They are:
- the leak is: we check to see if there is a pid associated with a nbd device file. If there is we remove the device from the list of possible devices that we can use. We never re-add it. This is the bug that this bug was originally intended to track and was found the other day by Robert Collins and I. I am working on a patch for this problem now. The attack vector here is that a _local_ user could consume all the nbd devices for a short time which coincides with nova attempting to use nbd, and then nbd is broken for nova until it is restarted.
- the race is: we check that a pid doesn't exist for a nbd device file. We then execute qemu using that device file, and then declare success when there is a pid associated with the device file. However -- we never check that the pid associated is the pid we created. This means someone else could be providing something which we think is qemu but is something else. I guess this could be a disk image or something like that, but I'm not too sure what attack would be meaningful here.
I find none of these attacks individually too concerning, but I want to see what people think before I send of a series of reviews to resolve them.