OpenStack Compute (nova)

  1. Bug #1524274
  2. Comment #57

Comment 57 for bug 1524274

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/liberty)

Reviewed: https://review.openstack.org/264816
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a9c8dee7ec81d6331c3699a2dda3a57b48ecfe5c
Submitter: Jenkins
Branch: stable/liberty

commit a9c8dee7ec81d6331c3699a2dda3a57b48ecfe5c
Author: Matthew Booth <email address hidden>
Date: Thu Dec 10 16:34:19 2015 +0000

    Fix format conversion in libvirt snapshot

    The libvirt driver was calling images.convert_image during snapshot to
    convert snapshots to the intended output format. However, this
    function does not take the input format as an argument, meaning it
    implicitly does format detection. This opened an exploit for setups
    using raw storage on the backend, including raw on filesystem, LVM,
    and RBD (Ceph). An authenticated user could write a qcow2 header to
    their instance's disk which specified an arbitrary backing file on the
    host. When convert_image ran during snapshot, this would then write
    the contents of the backing file to glance, which is then available to
    the user. If the setup uses an LVM backend this conversion runs as
    root, meaning the user can exfiltrate any file on the host, including
    raw disks.

    This change adds an input format to convert_image.

    Partial-Bug: #1524274

    (cherry picked from commit 820430b62aa5e87a8f7750f1b9873f56c4822452)

    Change-Id: If73e73718ecd5db262ed9904091024238f98dbc0