From fb97fb2282f6a4094678e176e99baeef5509e10d Mon Sep 17 00:00:00 2001
From: Eric Harney <eharney@redhat.com>
Date: Tue, 31 Mar 2015 19:48:17 -0400
Subject: [PATCH] Disallow backing files when uploading volumes to image

Volumes with a header referencing a backing file can leak
file data into the destination image when uploading a
volume to an image.

Halt the upload process if the volume data references a
backing file to prevent this.

Closes-Bug: #1415087
---
 cinder/image/image_utils.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cinder/image/image_utils.py b/cinder/image/image_utils.py
index 6224da6..19e563d 100644
--- a/cinder/image/image_utils.py
+++ b/cinder/image/image_utils.py
@@ -345,6 +345,20 @@ def upload_volume(context, image_service, image_meta, volume_path,
     with temporary_file() as tmp:
         LOG.debug("%s was %s, converting to %s",
                   image_id, volume_format, image_meta['disk_format'])
+
+        data = qemu_img_info(volume_path, run_as_root=run_as_root)
+        backing_file = data.backing_file
+        fmt = data.file_format
+        if backing_file is not None:
+            # Disallow backing files as a security measure.
+            # This prevents a user from writing an image header into a raw
+            # volume with a backing file pointing to data they wish to
+            # access.
+            raise exception.ImageUnacceptable(
+                image_id=image_id,
+                reason=_("fmt=%(fmt)s backed by:%(backing_file)s")
+                % {'fmt': fmt, 'backing_file': backing_file})
+
         convert_image(volume_path, tmp, image_meta['disk_format'],
                       run_as_root=run_as_root)
 
-- 
1.9.3