From 3e4d319c64ef1942ec312f0aad82831cc66becb7 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 16 Jun 2015 16:00:41 +0100 Subject: [PATCH] virt: restrict resource usage of qemu-img info The qemu-img info command may use an unreasonable amount of memory when asked to open various maliciously created disk images. Since the cloud tenant cannot be trusted, Nova must apply resource limits when invoking qemu-img info to avoid a potential denial-of-service on the compute node. This limits qemu-img info to 1 GB of address space, and 2 seconds of CPU time, which should be sufficient to allow "normal" disk images, while blocking malicious ones. The 'prlimit' command is found in the widely available util-limit package in Linux distros. Closes-bug: 1449062 Change-Id: I446aa3dcc78f2f4733bd4968d5b2883d98f775f1 --- nova/virt/images.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nova/virt/images.py b/nova/virt/images.py index 57d27aa..7755867 100644 --- a/nova/virt/images.py +++ b/nova/virt/images.py @@ -23,6 +23,7 @@ import os from oslo_config import cfg from oslo_log import log as logging +from oslo_utils import units from nova import exception from nova.i18n import _, _LE @@ -56,7 +57,14 @@ def qemu_img_info(path): msg = (_("Path does not exist %(path)s") % {'path': path}) raise exception.InvalidDiskInfo(reason=msg) + # qemu-img can consume considerable RAM & CPU time if fed a + # maliciously crafted disk image. Since cloud tenants are not + # to be trusted, ensure QEMU is limits to 1 GB address space + # and 2 seconds CPU time, which ought to be more than enough + # for real world disk images out, err = utils.execute('env', 'LC_ALL=C', 'LANG=C', + 'prlimit','--cpu=2', + '--as=' + str(1 * units.Gi), 'qemu-img', 'info', path) if not out: msg = (_("Failed to run qemu-img info on %(path)s : %(error)s") % -- 2.4.3