qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Fix Released
|
Medium
|
Fuel Sustaining | ||
| 8.0.x |
Won't Fix
|
Medium
|
MOS Maintenance | ||
| 9.x |
Fix Released
|
Medium
|
Fuel Sustaining | ||
Bug Description
Upstream bug: https:/
Reported via private E-mail from Richard W.M. Jones.
Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json".
The solution seems to be: limit qemu-img ressource using ulimit.
Example of abuse:
-- afl1.img --
$ /usr/bin/time qemu-img info afl1.img
image: afl1.img
[...]
0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
0inputs+0outputs (0major+
The original image is 516 bytes, but it causes qemu-img to allocate 640 MB.
-- afl2.img --
$ qemu-img info --output=json afl2.img | wc -l
589843
This is a 200K image which causes qemu-img info to output half a
million lines of JSON (14 MB of JSON).
Glance runs the --output=json variant of the command.
-- afl3.img --
$ /usr/bin/time qemu-img info afl3.img
image: afl3.img
[...]
0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresid
0inputs+0outputs (0major+
qemu-img allocates 1.3 GB (actually, a bit more if you play with
ulimit -v). It appears that you could change it to allocate
arbitrarily large amounts of RAM.
CVE References
| Roman Podoliaka (rpodolyaka) wrote | #1 |
| Changed in mos: | |
| milestone: | none → 9.1 |
| tags: | added: area-nova |
| tags: | added: feature-security |
| Denis Meltsaykin (dmeltsaykin) wrote | #2 |
| Alexey Shtokolov (ashtokolov) wrote | #3 |
| tags: | added: hard-to-verify |
| tags: | added: on-verification |
| Dmitry Belyaninov (dbelyaninov) wrote | #4 |
| tags: | removed: on-verification |
Setting the importance according to the upstream bug.