commit 820430b62aa5e87a8f7750f1b9873f56c4822452
Author: Matthew Booth <email address hidden>
Date: Thu Dec 10 16:34:19 2015 +0000
Fix format conversion in libvirt snapshot
The libvirt driver was calling images.convert_image during snapshot to
convert snapshots to the intended output format. However, this
function does not take the input format as an argument, meaning it
implicitly does format detection. This opened an exploit for setups
using raw storage on the backend, including raw on filesystem, LVM,
and RBD (Ceph). An authenticated user could write a qcow2 header to
their instance's disk which specified an arbitrary backing file on the
host. When convert_image ran during snapshot, this would then write
the contents of the backing file to glance, which is then available to
the user. If the setup uses an LVM backend this conversion runs as
root, meaning the user can exfiltrate any file on the host, including
raw disks.
This change adds an input format to convert_image.
Reviewed: https:/ /review. openstack. org/264813 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=820430b62aa 5e87a8f7750f1b9 873f56c4822452
Committed: https:/
Submitter: Jenkins
Branch: master
commit 820430b62aa5e87 a8f7750f1b9873f 56c4822452
Author: Matthew Booth <email address hidden>
Date: Thu Dec 10 16:34:19 2015 +0000
Fix format conversion in libvirt snapshot
The libvirt driver was calling images. convert_ image during snapshot to
convert snapshots to the intended output format. However, this
function does not take the input format as an argument, meaning it
implicitly does format detection. This opened an exploit for setups
using raw storage on the backend, including raw on filesystem, LVM,
and RBD (Ceph). An authenticated user could write a qcow2 header to
their instance's disk which specified an arbitrary backing file on the
host. When convert_image ran during snapshot, this would then write
the contents of the backing file to glance, which is then available to
the user. If the setup uses an LVM backend this conversion runs as
root, meaning the user can exfiltrate any file on the host, including
raw disks.
This change adds an input format to convert_image.
Partial-Bug: #1524274
Change-Id: If73e73718ecd5d b262ed990409102 4238f98dbc0