commit cd4eeead3d70719f04d940af7da608eec81ab4e8
Author: Matthew Booth <email address hidden>
Date: Wed Dec 9 15:36:32 2015 +0000
Fix format detection in libvirt snapshot
The libvirt driver was using automatic format detection during
snapshot for disks stored on the local filesystem. This opened an
exploit if nova was configured to use local file storage, and
additionally to store those files in raw format by specifying
use_cow_images = False in nova.conf. An authenticated user could write
a qcow2 header to their guest image with a backing file on the host.
libvirt.utils.get_disk_type() would then misdetect the type of this
image as qcow2 and pass this to the Qcow2 image backend, whose
snapshot_extract method interprets the image as qcow2 and writes the
backing file to glance. The authenticated user can then download the
host file from glance.
This patch makes 2 principal changes. libvirt.utils.get_disk_type,
which ought to be removed entirely as soon as possible, is updated to
no longer do format detection if the format can't be determined from
the path. Its name is changed to get_disk_type_from_path to reflect
its actual function.
libvirt.utils.find_disk is updated to return both the path and format
of the root disk, rather than just the path. This is the most reliable
source of this information, as it reflects the actual format in use.
The previous format detection function of get_disk_type is replaced by
the format taken from libvirt.
We replace a call to get_disk_type in _rebase_with_qemu_img with an
explicit call to qemu_img_info, as the other behaviour of
get_disk_type was not relevant in this context. qemu_img_info is safe
from the backing file exploit when called on a file known to be a
qcow2 image. As the file in this context is a volume snapshot, this is
a safe use.
Partial-Bug: #1524274
(cherry picked from commit 2bb6635a21e4f7abe386c01ec7d3af5480498f14)
Reviewed: https:/ /review. openstack. org/264815 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=cd4eeead3d7 0719f04d940af7d a608eec81ab4e8
Committed: https:/
Submitter: Jenkins
Branch: stable/liberty
commit cd4eeead3d70719 f04d940af7da608 eec81ab4e8
Author: Matthew Booth <email address hidden>
Date: Wed Dec 9 15:36:32 2015 +0000
Fix format detection in libvirt snapshot
The libvirt driver was using automatic format detection during utils.get_ disk_type( ) would then misdetect the type of this extract method interprets the image as qcow2 and writes the
snapshot for disks stored on the local filesystem. This opened an
exploit if nova was configured to use local file storage, and
additionally to store those files in raw format by specifying
use_cow_images = False in nova.conf. An authenticated user could write
a qcow2 header to their guest image with a backing file on the host.
libvirt.
image as qcow2 and pass this to the Qcow2 image backend, whose
snapshot_
backing file to glance. The authenticated user can then download the
host file from glance.
This patch makes 2 principal changes. libvirt. utils.get_ disk_type, type_from_ path to reflect
which ought to be removed entirely as soon as possible, is updated to
no longer do format detection if the format can't be determined from
the path. Its name is changed to get_disk_
its actual function.
libvirt. utils.find_ disk is updated to return both the path and format
of the root disk, rather than just the path. This is the most reliable
source of this information, as it reflects the actual format in use.
The previous format detection function of get_disk_type is replaced by
the format taken from libvirt.
We replace a call to get_disk_type in _rebase_ with_qemu_ img with an
explicit call to qemu_img_info, as the other behaviour of
get_disk_type was not relevant in this context. qemu_img_info is safe
from the backing file exploit when called on a file known to be a
qcow2 image. As the file in this context is a volume snapshot, this is
a safe use.
Partial-Bug: #1524274
(cherry picked from commit 2bb6635a21e4f7a be386c01ec7d3af 5480498f14)
Conflicts:
nova/tests/ unit/virt/ libvirt/ test_utils. py
nova/virt/ libvirt/ utils.py
Minor conflicts as ploop was added in Mitaka.
Change-Id: I94c1c0d26215c0 61f71c3f95e1a6b f3a58fa19ea