OpenStack Compute (nova)

Bug #1524274
Comment #61

Comment 61 for bug 1524274

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-16: Fix merged to nova (stable/kilo)

#61

Reviewed: https://review.openstack.org/264819
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=7534182e7f1ae466f96fdb13d3715a458f300604
Submitter: Jenkins
Branch: stable/kilo

commit 7534182e7f1ae466f96fdb13d3715a458f300604
Author: Matthew Booth <email address hidden>
Date: Wed Dec 9 15:36:32 2015 +0000

Fix format detection in libvirt snapshot

    The libvirt driver was using automatic format detection during
    snapshot for disks stored on the local filesystem. This opened an
    exploit if nova was configured to use local file storage, and
    additionally to store those files in raw format by specifying
    use_cow_images = False in nova.conf. An authenticated user could write
    a qcow2 header to their guest image with a backing file on the host.
    libvirt.utils.get_disk_type() would then misdetect the type of this
    image as qcow2 and pass this to the Qcow2 image backend, whose
    snapshot_extract method interprets the image as qcow2 and writes the
    backing file to glance. The authenticated user can then download the
    host file from glance.

    This patch makes 2 principal changes. libvirt.utils.get_disk_type,
    which ought to be removed entirely as soon as possible, is updated to
    no longer do format detection if the format can't be determined from
    the path. Its name is changed to get_disk_type_from_path to reflect
    its actual function.

    libvirt.utils.find_disk is updated to return both the path and format
    of the root disk, rather than just the path. This is the most reliable
    source of this information, as it reflects the actual format in use.
    The previous format detection function of get_disk_type is replaced by
    the format taken from libvirt.

    We replace a call to get_disk_type in _rebase_with_qemu_img with an
    explicit call to qemu_img_info, as the other behaviour of
    get_disk_type was not relevant in this context. qemu_img_info is safe
    from the backing file exploit when called on a file known to be a
    qcow2 image. As the file in this context is a volume snapshot, this is
    a safe use.

Partial-Bug: #1524274

    Conflicts:
        nova/tests/unit/virt/libvirt/test_driver.py
        nova/tests/unit/virt/libvirt/test_utils.py
        nova/virt/libvirt/driver.py
        nova/virt/libvirt/utils.py

Change-Id: I94c1c0d26215c061f71c3f95e1a6bf3a58fa19ea

Reviewed:  https://review.openstack.org/264819
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=7534182e7f1ae466f96fdb13d3715a458f300604
Submitter: Jenkins
Branch:    stable/kilo

commit 7534182e7f1ae466f96fdb13d3715a458f300604
Author: Matthew Booth <mbooth@redhat.com>
Date:   Wed Dec 9 15:36:32 2015 +0000

Fix format detection in libvirt snapshot
    
    The libvirt driver was using automatic format detection during
    snapshot for disks stored on the local filesystem. This opened an
    exploit if nova was configured to use local file storage, and
    additionally to store those files in raw format by specifying
    use_cow_images = False in nova.conf. An authenticated user could write
    a qcow2 header to their guest image with a backing file on the host.
    libvirt.utils.get_disk_type() would then misdetect the type of this
    image as qcow2 and pass this to the Qcow2 image backend, whose
    snapshot_extract method interprets the image as qcow2 and writes the
    backing file to glance. The authenticated user can then download the
    host file from glance.
    
    This patch makes 2 principal changes. libvirt.utils.get_disk_type,
    which ought to be removed entirely as soon as possible, is updated to
    no longer do format detection if the format can't be determined from
    the path. Its name is changed to get_disk_type_from_path to reflect
    its actual function.
    
    libvirt.utils.find_disk is updated to return both the path and format
    of the root disk, rather than just the path. This is the most reliable
    source of this information, as it reflects the actual format in use.
    The previous format detection function of get_disk_type is replaced by
    the format taken from libvirt.
    
    We replace a call to get_disk_type in _rebase_with_qemu_img with an
    explicit call to qemu_img_info, as the other behaviour of
    get_disk_type was not relevant in this context. qemu_img_info is safe
    from the backing file exploit when called on a file known to be a
    qcow2 image. As the file in this context is a volume snapshot, this is
    a safe use.
    
    Partial-Bug: #1524274
    
    Conflicts:
        nova/tests/unit/virt/libvirt/test_driver.py
        nova/tests/unit/virt/libvirt/test_utils.py
        nova/virt/libvirt/driver.py
        nova/virt/libvirt/utils.py
    
    Change-Id: I94c1c0d26215c061f71c3f95e1a6bf3a58fa19ea