[Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Jeremy Stanley fungi at yuggoth.org
Tue Sep 27 16:05:38 UTC 2016


Tristan: I'm still a little confused on the oslo.concurrency
recommendation. Are you saying that we should suggest stable/liberty and
stable/mitaka deployments to also use oslo.concurrency>=3.8.0? At the
moment the tips of stable/liberty and stable/mitaka branches for
oslo.concurrency are tagged 2.6.1 and 3.7.1 respectively (and that's
what we have pinned in upper-constraints.txt for testing purposes as
well). I don't want to imply in an advisory that all deployments should
upgrade oslo.concurrency to 3.8.0 or later if there's a risk it will
break liberty or mitaka deployments (which is why I was leaning toward
not mentioning oslo.concurrency versions as that would just add to
confusion).

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1449062

Title:
  qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Status in Cinder:
  Fix Released
Status in Cinder mitaka series:
  In Progress
Status in Cinder newton series:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive liberty series:
  Fix Committed
Status in Ubuntu Cloud Archive mitaka series:
  Fix Committed
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Glance:
  Fix Released
Status in Glance liberty series:
  New
Status in Glance mitaka series:
  New
Status in Glance newton series:
  Fix Committed
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  In Progress
Status in python-oslo.concurrency package in Ubuntu:
  Fix Released
Status in python-oslo.concurrency source package in Wily:
  Fix Committed
Status in python-oslo.concurrency source package in Xenial:
  Fix Released
Status in python-oslo.concurrency source package in Yakkety:
  Fix Released

Bug description:
  Reported via private E-mail from Richard W.M. Jones.

  Turns out qemu image parser is not hardened against malicious input
  and can be abused to allocated an arbitrary amount of memory and/or
  dump a lot of information when used with "--output=json".

  The solution seems to be: limit qemu-img ressource using ulimit.

  Example of abuse:

  -- afl1.img --

  $ /usr/bin/time qemu-img info afl1.img
  image: afl1.img
  [...]
  0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
  0inputs+0outputs (0major+156927minor)pagefaults 0swaps

  The original image is 516 bytes, but it causes qemu-img to allocate
  640 MB.

  -- afl2.img --

  $ qemu-img info --output=json afl2.img | wc -l
  589843

  This is a 200K image which causes qemu-img info to output half a
  million lines of JSON (14 MB of JSON).

  Glance runs the --output=json variant of the command.

  -- afl3.img --

  $ /usr/bin/time qemu-img info afl3.img
  image: afl3.img
  [...]
  0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
  0inputs+0outputs (0major+311994minor)pagefaults 0swaps

  qemu-img allocates 1.3 GB (actually, a bit more if you play with
  ulimit -v).  It appears that you could change it to allocate
  arbitrarily large amounts of RAM.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list