commit 3bc1295e2d5fb1376e3a5c708efe9fbf9435e6a4
Author: Matthew Booth <email address hidden>
Date: Thu Dec 10 16:34:19 2015 +0000
Fix format conversion in libvirt snapshot
The libvirt driver was calling images.convert_image during snapshot to
convert snapshots to the intended output format. However, this
function does not take the input format as an argument, meaning it
implicitly does format detection. This opened an exploit for setups
using raw storage on the backend, including raw on filesystem, LVM,
and RBD (Ceph). An authenticated user could write a qcow2 header to
their instance's disk which specified an arbitrary backing file on the
host. When convert_image ran during snapshot, this would then write
the contents of the backing file to glance, which is then available to
the user. If the setup uses an LVM backend this conversion runs as
root, meaning the user can exfiltrate any file on the host, including
raw disks.
This change adds an input format to convert_image.
Reviewed: https:/ /review. openstack. org/264820 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=3bc1295e2d5 fb1376e3a5c708e fe9fbf9435e6a4
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit 3bc1295e2d5fb13 76e3a5c708efe9f bf9435e6a4
Author: Matthew Booth <email address hidden>
Date: Thu Dec 10 16:34:19 2015 +0000
Fix format conversion in libvirt snapshot
The libvirt driver was calling images. convert_ image during snapshot to
convert snapshots to the intended output format. However, this
function does not take the input format as an argument, meaning it
implicitly does format detection. This opened an exploit for setups
using raw storage on the backend, including raw on filesystem, LVM,
and RBD (Ceph). An authenticated user could write a qcow2 header to
their instance's disk which specified an arbitrary backing file on the
host. When convert_image ran during snapshot, this would then write
the contents of the backing file to glance, which is then available to
the user. If the setup uses an LVM backend this conversion runs as
root, meaning the user can exfiltrate any file on the host, including
raw disks.
This change adds an input format to convert_image.
Partial-Bug: #1524274
Change-Id: If73e73718ecd5d b262ed990409102 4238f98dbc0