Comment 75 for bug 1996188
Revision history for this message
| Guillaume Espanel (guillaume-espanel) wrote Re: Arbitrary file access through custom VMDK flat descriptor | #75 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Good day!
Interesting that we are talking about the format_inspector because I think there is a way there to perform a DoS attack on the glance-api process by uploading a malformed VMDK image:
For VMDK, the 'descriptor' capture region is bounded by (desc_sec * 512, desc_num * 512). Both desc_sec and desc_num are parsed from the header of the file, so it is possible for a malicious actor to ask the format_inspector to declare a huge descriptor capture_region by crafting weird values in-there. In contrast, qemu limits the size of the descriptor it accepts to parse to 1MB if my math is right [1].
Actually, reading the code of qemu, it looks like they also hardcode the address of the descriptor to 0x200 [2], so it would be possible to have the format_inspector read a descriptor and qemu read a different one, thus bypassing any check we are currently doing there.
Notwithstanding this bug, I am not sure the format_inspector is not the best place to implement security checks at the moment. For one, I am not sure when it is actually called.
--
[1]: https:/
[2]: https:/