image_utils: xen server image handling issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
This may be something that can be worked on in the open as a normal bug/hardening opportunity, but I want to get some VMT feedback before making it public.
What complicates this a bit is that the issue occurs in some old code (introduced in Havana) that implements Xenserver image support [0]. Nova removed xenserver support in victoria [1], so there's no reason to have it in cinder any more ... though you never know what users are doing, so we'll have to discuss its removal in public, which will bring attention to the issue I'm about to describe. The primary thing that concerns me is that once you see this in the code, you realize that there is no way for an operator to turn it off ... all you need to do are set some specific image properties on an image payload in glance and you can force the behavior.
Here's the issue. Xenserver used the VHD disk format in an OVF container fomat, which is basically a VHD chain inside a tgz file, where the VHDs followed a specific naming convention. These would normally be created by the nova image-create server action. The cinder use is that if a user requests to create a volume from such an image, cinder has to unpack and then coalesce the VHDs into a single image that's written to the volume. So the potential vulnerabilty is that a bad actor uploads a gzip bomb or some kind of nasty gzipped tarfile to glance, sets the image properties, and then requests cinder to create a volume from it.
The cinder situation is:
- this happens in an operator-
- there's no way to turn off this behavior; cinder just looks to see if the image metadata has disk_format==vhd and container_
- before this would be called, there is a check to make sure the glance image metadata 'size' would fit in the available space [5] (but this is the number of bytes the thing takes up in glance, not its uncompressed size)
- the un-tgz is done by calling 'tar' using oslo processutils (eventually) with no processlimits [6] (so the good news is that as long as the server's tar has been kept up to date, it should be resistant to the known tar attacks)
So someone could slip a gzip bomb into glance, set the requisite metadata on the image, and then cinder would happily 'tar -zxf' it. But what I think would happen in that case is that you'd get a failure in the gunzip phase, and the process would error out without leaving anything behind in the tmp space.
tar itself isn't good about cleaning up when it runs out of space, though. I think it just reports an error and leaves whatever it untarred in the filesystem in whatever state it was when space was exhausted. I don't know enough about tar exploits to know whether it's possible to produce a tgz that doesn't run out of space in the gunzip phase but then does something bad in the untar phase that could fill up the isolated tmp space and make it unavailable for other processes.
In summary, I'm not sure how big a deal this issue is and whether it can be simply be worked on in the open as a normal bug/hardening opportunity, or whether it should be handled first as a private security issue.
[0] https:/
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/
description: | updated |
Adding Nick Tait, who I've already discussed this with.