From edbfff8c0ac460b348ff2fc750171eccd1c445c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady@redhat.com>
Date: Thu, 24 Jan 2013 10:54:43 +0000
Subject: [PATCH] disallow boot from volume from specifying arbitrary volumes

Fix a vulnerability in volume attachment in nova-volume, affecting the
boot-from-volume feature.  By passing a specific volume ID, an
authenticated user may be able to boot from a volume they don't own,
potentially resulting in full access to that 3rd-party volume.

Fixes bug: 1069904, CVE-2013-0208
Change-Id: I5f7c8d20d3ebf33ce1ce64bf0a8418bd2b5a6411
---
 nova/compute/api.py |   17 +++++++++++++++++
 nova/exception.py   |   14 ++++++++++++++
 2 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/nova/compute/api.py b/nova/compute/api.py
index 7d42d34..f03c7d1 100644
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@@ -542,6 +542,23 @@ class API(base.Base):
         block_device_mapping = block_device_mapping or []
         instances = []
         LOG.debug(_("Going to run %s instances..."), num_instances)
+
+        # Validate the correct devices have been specified
+        for bdm in block_device_mapping:
+            # NOTE(vish): For now, just make sure the volumes are accessible.
+            snapshot_id = bdm.get('snapshot_id')
+            volume_id = bdm.get('volume_id')
+            if volume_id is not None:
+                try:
+                    self.volume_api.get(context, volume_id)
+                except Exception:
+                    raise exception.InvalidBDMVolume(id=volume_id)
+            elif snapshot_id is not None:
+                try:
+                    self.volume_api.get_snapshot(context, snapshot_id)
+                except Exception:
+                    raise exception.InvalidBDMSnapshot(id=snapshot_id)
+
         for num in range(num_instances):
             instance = self.create_db_entry_for_new_instance(context,
                                     instance_type, image,
diff --git a/nova/exception.py b/nova/exception.py
index c2a98eb..a280038 100644
--- a/nova/exception.py
+++ b/nova/exception.py
@@ -231,6 +231,20 @@ class InvalidParameterValue(Invalid):
     message = _("%(err)s")
 
 
+class InvalidBDM(Invalid):
+    message = _("Block Device Mapping is Invalid.")
+
+
+class InvalidBDMSnapshot(InvalidBDM):
+    message = _("Block Device Mapping is Invalid: "
+                "failed to get snapshot %(id)s.")
+
+
+class InvalidBDMVolume(InvalidBDM):
+    message = _("Block Device Mapping is Invalid: "
+                "failed to get volume %(id)s.")
+
+
 class InstanceNotRunning(Invalid):
     message = _("Instance %(instance_id)s is not running.")
 
-- 
1.7.6.4