OpenStack Compute (nova)

Volumes aren't zeroed out

Bug #752735 reported by Jesse Andrews
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Jesse Andrews
OpenStack Compute (nova) 2011.2 "cactus"

Bug Description

In LVM implementation, users can potentially access data from other users after volumes are destroyed.

Steps to reproduce:

1) Setup a new install of Nova with Volumes
2) Run a single nova-volume worker using a single 1G volume group
3) Project A:
  * create an instance
  * create a 1G volume
  * attach to instance
  * format & mount volume to /dev/vdb
  * put content onto volume
  * unmount volume
  * detach volume
  * destroy volume
4) Project B:
  * create an instance
  * create 1 1G volume
  * attach to instance at /dev/vdb
  * dd if=/dev/vdb of=/root/data

Expected: project B has a file full of zeros
Actual: project B has a file with information from project A

-----

Simplified Nova is doing the following:

# create a volume group against a file
truncate -s 1G volumes
DEV=`sudo losetup -f --show volumes`
sudo vgcreate nova-volumes $DEV

# manually zero out nova-volumes
lvcreate --size 1000M --name snap nova-volumes
dd if=/dev/zero of=/dev/mapper/nova--volumes-snap
od /dev/mapper/nova--volumes-snap

# verify everything is still zeros
lvremove nova-volumes
lvcreate --size 1000M --name snap nova-volumes
od /dev/mapper/nova--volumes-snap

# put some randomness in
dd if=/dev/urandom of=/dev/mapper/nova--volumes-snap bs=1024 count=1024
lvremove nova-volumes

# and you can still see the randomness
lvcreate --size 1000M --name snap nova-volumes
od /dev/mapper/nova--volumes-snap

Related branches

lp:~anotherjesse/nova/zero-volumes
Devin Carlen (community): Approve
Soren Hansen (community): Needs Fixing
Jesse Andrews (community): Approve
Sandy Walsh (community): Needs Information
Diff: 28 lines (+7/-0)
2 files modified
.mailmap (+1/-0)
nova/volume/driver.py (+6/-0)
Thierry Carrez (ttx)
visibility: private → public
Changed in nova:
importance: Undecided → High
milestone: none → cactus-rc
status: New → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote :

@Jesse: do you have someone working on this ? Would be good to fix before Cactus release...

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

working on it

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

Adding zeroing out on deletion.

could have done it on creation, but it would be slower for create-volume command

Thierry Carrez (ttx)
Changed in nova:
assignee: nobody → anotherjesse (anotherjesse)
status: Confirmed → In Progress
Thierry Carrez (ttx)
Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: cactus-rc → 2011.2
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.