NULs should be persisted when securely clearing volumes

Bug #1100363 reported by Pádraig Brady
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Low
Pádraig Brady
OpenStack Compute (nova)
Fix Released
Low
Pádraig Brady

Bug Description

Currently O_DIRECT is _not_ used when copying from /dev/zero
and there are issues with enabling that (see 444cd542).
That leaves the possibility that data in the write cache
may be flushed if the device is unprovisioned.

Given that this only affects data towards the end of a device,
and that it may only be significant on shared storage systems,
I'm not sure how much of an issue this is in practise.
Nevertheless I've marked this bug as security sensitive for now.

Note the same issue impacts nova and cinder.

Tags: security
Revision history for this message
Pádraig Brady (p-draigbrady) wrote :

proposed nova grizzly fix

Revision history for this message
Pádraig Brady (p-draigbrady) wrote :

proposed cinder grizzly fix

Revision history for this message
Vish Ishaya (vishvananda) wrote :

+1

Changed in nova:
status: New → In Progress
Changed in cinder:
status: New → In Progress
importance: Undecided → Low
Changed in nova:
importance: Undecided → Low
Revision history for this message
Thierry Carrez (ttx) wrote :

I'm not sure this warrants an embargo and advisory. It makes sure we cover a theoretical edge case in zeroing, which is good, but it's a bit of a long stretch. Thoughts ?

Revision history for this message
Pádraig Brady (p-draigbrady) wrote :

After further thought/discussion I'm even more of the opinion that this can go straight in

Revision history for this message
Thierry Carrez (ttx) wrote :

@Padraig: please push right in :)

information type: Private Security → Public
tags: added: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/20124

Changed in nova:
assignee: nobody → Pádraig Brady (p-draigbrady)
Changed in cinder:
assignee: nobody → Pádraig Brady (p-draigbrady)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/20125

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/20125
Committed: http://github.com/openstack/cinder/commit/0007d255d9b20da4e5bbcdbaf5813104fbc092da
Submitter: Jenkins
Branch: master

commit 0007d255d9b20da4e5bbcdbaf5813104fbc092da
Author: Pádraig Brady <email address hidden>
Date: Wed Jan 16 16:23:48 2013 +0000

    ensure zeros are written out when clearing volumes

    Note O_DIRECT is _not_ used when copying from /dev/zero
    and there are issues with enabling that (see 444cd542).
    Therefore we arrange to have dd issue an fdatasync()
    to ensure the data is persisted, lest it be discarded
    from the write cache when the device is unprovisioned.

    * cinder/volume/drivers/lvm.py (_copy_volume): Add 'conv=fdatasync'
    to the dd option list if O_DIRECT isn't used when clearing
    (which it won't as descrived above).

    Fixes bug: 1100363
    Change-Id: I76789557754ebaeb6d52bb34548a2ef17808fbf6

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/20124
Committed: http://github.com/openstack/nova/commit/df749aea97cd8578952cc21b5289ae9c32f73c98
Submitter: Jenkins
Branch: master

commit df749aea97cd8578952cc21b5289ae9c32f73c98
Author: Pádraig Brady <email address hidden>
Date: Wed Jan 16 16:50:57 2013 +0000

    ensure zeros are written out when clearing volumes

    Note O_DIRECT is _not_ used at the end of devices to
    avoid issues with odd sized blocks etc. so instead
    we arrange to have dd issue an fdatasync()
    to ensure the data is persisted, lest it be discarded
    from the write cache when the device is unprovisioned.

    * nova/virt/libvirt/utils.py (clear_logical_volume): Add 'conv=fdatasync'
    to the dd option list if O_DIRECT isn't used when clearing.

    Fixes bug: 1100363
    Change-Id: I76789557754ebaeb6d52bb34548a2ef17808fbf6

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
Thierry Carrez (ttx)
Changed in cinder:
milestone: grizzly-3 → 2013.1
Revision history for this message
Kurt Seifried (kseifried) wrote :

Is there a reason this wasn't treated as a security issue? It can result in "wiped" devices not being wiped which sounds like potential information disclosure.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.