commit 7534182e7f1ae466f96fdb13d3715a458f300604
Author: Matthew Booth <email address hidden>
Date: Wed Dec 9 15:36:32 2015 +0000
Fix format detection in libvirt snapshot
The libvirt driver was using automatic format detection during
snapshot for disks stored on the local filesystem. This opened an
exploit if nova was configured to use local file storage, and
additionally to store those files in raw format by specifying
use_cow_images = False in nova.conf. An authenticated user could write
a qcow2 header to their guest image with a backing file on the host.
libvirt.utils.get_disk_type() would then misdetect the type of this
image as qcow2 and pass this to the Qcow2 image backend, whose
snapshot_extract method interprets the image as qcow2 and writes the
backing file to glance. The authenticated user can then download the
host file from glance.
This patch makes 2 principal changes. libvirt.utils.get_disk_type,
which ought to be removed entirely as soon as possible, is updated to
no longer do format detection if the format can't be determined from
the path. Its name is changed to get_disk_type_from_path to reflect
its actual function.
libvirt.utils.find_disk is updated to return both the path and format
of the root disk, rather than just the path. This is the most reliable
source of this information, as it reflects the actual format in use.
The previous format detection function of get_disk_type is replaced by
the format taken from libvirt.
We replace a call to get_disk_type in _rebase_with_qemu_img with an
explicit call to qemu_img_info, as the other behaviour of
get_disk_type was not relevant in this context. qemu_img_info is safe
from the backing file exploit when called on a file known to be a
qcow2 image. As the file in this context is a volume snapshot, this is
a safe use.
Reviewed: https:/ /review. openstack. org/264819 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=7534182e7f1 ae466f96fdb13d3 715a458f300604
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit 7534182e7f1ae46 6f96fdb13d3715a 458f300604
Author: Matthew Booth <email address hidden>
Date: Wed Dec 9 15:36:32 2015 +0000
Fix format detection in libvirt snapshot
The libvirt driver was using automatic format detection during utils.get_ disk_type( ) would then misdetect the type of this extract method interprets the image as qcow2 and writes the
snapshot for disks stored on the local filesystem. This opened an
exploit if nova was configured to use local file storage, and
additionally to store those files in raw format by specifying
use_cow_images = False in nova.conf. An authenticated user could write
a qcow2 header to their guest image with a backing file on the host.
libvirt.
image as qcow2 and pass this to the Qcow2 image backend, whose
snapshot_
backing file to glance. The authenticated user can then download the
host file from glance.
This patch makes 2 principal changes. libvirt. utils.get_ disk_type, type_from_ path to reflect
which ought to be removed entirely as soon as possible, is updated to
no longer do format detection if the format can't be determined from
the path. Its name is changed to get_disk_
its actual function.
libvirt. utils.find_ disk is updated to return both the path and format
of the root disk, rather than just the path. This is the most reliable
source of this information, as it reflects the actual format in use.
The previous format detection function of get_disk_type is replaced by
the format taken from libvirt.
We replace a call to get_disk_type in _rebase_ with_qemu_ img with an
explicit call to qemu_img_info, as the other behaviour of
get_disk_type was not relevant in this context. qemu_img_info is safe
from the backing file exploit when called on a file known to be a
qcow2 image. As the file in this context is a volume snapshot, this is
a safe use.
Partial-Bug: #1524274
Conflicts:
nova/tests/ unit/virt/ libvirt/ test_driver. py
nova/tests/ unit/virt/ libvirt/ test_utils. py
nova/virt/ libvirt/ driver. py
nova/virt/ libvirt/ utils.py
Change-Id: I94c1c0d26215c0 61f71c3f95e1a6b f3a58fa19ea