[Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Jeremy Stanley fungi at yuggoth.org
Thu Sep 22 23:46:09 UTC 2016 

Following discussion with Sean and Hemanth, it looks like we ought to
get fixes for this into supported branches of Cinder and Glance after
all. Hopefully getting them merged goes quickly now that Nova has
already trodden this ground and the fixes are basically identical
between them.

Assuming all fixes merge before Newton releases and prior to any stable
branch point releases, this is the updated proposed impact description.
I'm using our YAML format here both for convenience and clarity due to
the number of repos and releases involved. I've also shortened the title
and referenced the affected software in it.

Should I include a note about the updated versions of oslo.concurrency
required, or are the references to patches in consuming projects
sufficient for this purpose? I'd like to avoid unnecessary additional
complexity if possible here.

--

date: TBD

id: TBD

title: Malicious qemu-img input may exhaust resources in Cinder, Glance,
Nova

description: >
  Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack
  Cinder, Glance and Nova. By providing a maliciously crafted disk image an
  attacker can consume considerable amounts of RAM and CPU time resulting in a
  denial of service via resource exhaustion. Any project which makes calls to
  qemu-img without appropriate ulimit restrictions in place is affected by this
  flaw.

affected-products:
  - product: cinder
    version: "<=7.0.2, >=8.0.0 <=8.1.1"
  - product: glance
    version: "<=11.0.1, ==12.0.0"
  - product: nova
    version: "<=12.0.4 and ==13.0.0"

vulnerabilities:
  - cve-id: CVE-2015-5162

reporters:
  - name: Richard W.M. Jones
    affiliation: Red Hat
    reported:
      - CVE-2015-5162

issues:
  links:
    - https://launchpad.net/bugs/1449062

reviews:
  ocata:
    - https://review.openstack.org/375099 (cinder)
    - https://review.openstack.org/TBD (glance)
  newton:
    - https://review.openstack.org/375102 (cinder)
    - https://review.openstack.org/TBD (glance)
    - https://review.openstack.org/307663 (nova)
  mitaka:
    - https://review.openstack.org/TBD (cinder)
    - https://review.openstack.org/TBD (glance)
    - https://review.openstack.org/326327 (nova)
  liberty:
    - https://review.openstack.org/TBD (cinder)
    - https://review.openstack.org/TBD (glance)
    - https://review.openstack.org/327624 (nova)

notes:
  - >
    Separate Ocata patches are listed for Cinder and Glance, as they were fixed
    during the Newton release freeze after it branched from master.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1449062

Title:
  qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Status in Cinder:
  In Progress
Status in Cinder mitaka series:
  New
Status in Cinder newton series:
  In Progress
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive liberty series:
  Fix Committed
Status in Ubuntu Cloud Archive mitaka series:
  Fix Committed
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Glance:
  New
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  In Progress
Status in python-oslo.concurrency package in Ubuntu:
  Fix Released
Status in python-oslo.concurrency source package in Wily:
  Fix Committed
Status in python-oslo.concurrency source package in Xenial:
  Fix Released
Status in python-oslo.concurrency source package in Yakkety:
  Fix Released

Bug description:
  Reported via private E-mail from Richard W.M. Jones.

  Turns out qemu image parser is not hardened against malicious input
  and can be abused to allocated an arbitrary amount of memory and/or
  dump a lot of information when used with "--output=json".

  The solution seems to be: limit qemu-img ressource using ulimit.

  Example of abuse:

  -- afl1.img --

  $ /usr/bin/time qemu-img info afl1.img
  image: afl1.img
  [...]
  0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
  0inputs+0outputs (0major+156927minor)pagefaults 0swaps

  The original image is 516 bytes, but it causes qemu-img to allocate
  640 MB.

  -- afl2.img --

  $ qemu-img info --output=json afl2.img | wc -l
  589843

  This is a 200K image which causes qemu-img info to output half a
  million lines of JSON (14 MB of JSON).

  Glance runs the --output=json variant of the command.

  -- afl3.img --

  $ /usr/bin/time qemu-img info afl3.img
  image: afl3.img
  [...]
  0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
  0inputs+0outputs (0major+311994minor)pagefaults 0swaps

  qemu-img allocates 1.3 GB (actually, a bit more if you play with
  ulimit -v).  It appears that you could change it to allocate
  arbitrarily large amounts of RAM.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list