Glance

Limit CaptureRegion sizes in format_inspector for VMDK and VHDX

  1. Series xena
  2. Bug #2006490
Bug #2006490 reported by Abhishek Kekane
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Status tracked in Zed
Xena
New
Undecided
Unassigned
Yoga
In Progress
Undecided
Unassigned
Zed
Fix Released
Undecided
Unassigned

Bug Description

VMDK:
When parsing a VMDK file to calculate its size, the format_inspector
determines the location of the Descriptor section by reading two
uint64 from the headers of the file and uses them to create the
descriptor CaptureRegion.

It would be possible to craft a VMDK file that commands the
format_inspector to create a very big CaptureRegion, thus exhausting
resources on the glance-api process.

VHDX:
It is a bit more involved, but similar: when looking for the
VIRTUAL_DISK_SIZE metadata, the format_inspector was creating an
unbounded CaptureRegion.

Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

Fixed in master with, https://review.opendev.org/c/openstack/glance/+/871831

Changed in glance:
status: New → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/glance/+/872990

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/glance/+/872990
Committed: https://opendev.org/openstack/glance/commit/06a18202ab52c64803f044b8f848ed1c160905d2
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 06a18202ab52c64803f044b8f848ed1c160905d2
Author: Guillaume Espanel <email address hidden>
Date: Wed Jan 25 11:53:09 2023 +0100

    Limit CaptureRegion sizes in format_inspector for VMDK and VHDX

    VMDK:
    When parsing a VMDK file to calculate its size, the format_inspector
    determines the location of the Descriptor section by reading two
    uint64 from the headers of the file and uses them to create the
    descriptor CaptureRegion.

    It would be possible to craft a VMDK file that commands the
    format_inspector to create a very big CaptureRegion, thus exhausting
    resources on the glance-api process.

    This patch binds the beginning of the descriptor to 0x200 and limits
    the size of the CaptureRegion to 1MB, similar to how the VMDK
    descriptor is parsed by qemu.

    VHDX:
    It is a bit more involved, but similar: when looking for the
    VIRTUAL_DISK_SIZE metadata, the format_inspector was creating an
    unbounded CaptureRegion.

    In the same way as it seems to be done in Qemu, we now limit the upper
    bound of this CaptureRegion.

    Closes-Bug: #2006490
    Change-Id: I3ec5a33df20e1cfb6673f4ff1c7c91aacd065532
    (cherry picked from commit d4d33ee30f303f783c0640cd72acb31b313e1164)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/glance/+/877266

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance zed-eom

This issue was fixed in the openstack/glance zed-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.