OpenStack Compute (nova)

  1. Bug #1524274
  2. Comment #62

Comment 62 for bug 1524274

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/kilo)

Reviewed: https://review.openstack.org/264820
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3bc1295e2d5fb1376e3a5c708efe9fbf9435e6a4
Submitter: Jenkins
Branch: stable/kilo

commit 3bc1295e2d5fb1376e3a5c708efe9fbf9435e6a4
Author: Matthew Booth <email address hidden>
Date: Thu Dec 10 16:34:19 2015 +0000

    Fix format conversion in libvirt snapshot

    The libvirt driver was calling images.convert_image during snapshot to
    convert snapshots to the intended output format. However, this
    function does not take the input format as an argument, meaning it
    implicitly does format detection. This opened an exploit for setups
    using raw storage on the backend, including raw on filesystem, LVM,
    and RBD (Ceph). An authenticated user could write a qcow2 header to
    their instance's disk which specified an arbitrary backing file on the
    host. When convert_image ran during snapshot, this would then write
    the contents of the backing file to glance, which is then available to
    the user. If the setup uses an LVM backend this conversion runs as
    root, meaning the user can exfiltrate any file on the host, including
    raw disks.

    This change adds an input format to convert_image.

    Partial-Bug: #1524274

    Change-Id: If73e73718ecd5db262ed9904091024238f98dbc0