[Bug 1449062] Fix merged to glance (stable/liberty)
OpenStack Infra
1449062 at bugs.launchpad.net
Fri Sep 30 10:55:38 UTC 2016
Reviewed: https://review.openstack.org/378012
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=58311904a73f931404416649dc6ed3958adc59c8
Submitter: Jenkins
Branch: stable/liberty
commit 58311904a73f931404416649dc6ed3958adc59c8
Author: Brian Rosmaita <brian.rosmaita at rackspace.com>
Date: Tue Sep 27 16:11:17 2016 -0400
Adding constraints around qemu-img calls
* All "qemu-img info" calls are now run under resource limitations that
limit CPU time to 2 seconds and address space usage to 1 GB. This
helps avoid any DoS attacks via malicious images.
* All "qemu-img convert" calls now specify the import format so that it
does not have to be inferred by qemu-img.
SecurityImpact
(Hemanth did all the work on this, I'm just doing the backport.)
Co-authored-by: Hemanth Makkapati <hemanth.makkapati at rackspace.com>
Closes-Bug: #1449062
(cherry picked from commit 69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f)
Change-Id: I65f30b85439a8811545b0ca590555528631954df
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1449062
Title:
qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Status in Cinder:
Fix Released
Status in Cinder mitaka series:
Fix Committed
Status in Cinder newton series:
Fix Released
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive liberty series:
Fix Committed
Status in Ubuntu Cloud Archive mitaka series:
Fix Committed
Status in Ubuntu Cloud Archive newton series:
Fix Released
Status in Glance:
Fix Committed
Status in Glance liberty series:
New
Status in Glance mitaka series:
Fix Committed
Status in Glance newton series:
Fix Committed
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
In Progress
Status in python-oslo.concurrency package in Ubuntu:
Fix Released
Status in python-oslo.concurrency source package in Wily:
Fix Committed
Status in python-oslo.concurrency source package in Xenial:
Fix Released
Status in python-oslo.concurrency source package in Yakkety:
Fix Released
Bug description:
Reported via private E-mail from Richard W.M. Jones.
Turns out qemu image parser is not hardened against malicious input
and can be abused to allocated an arbitrary amount of memory and/or
dump a lot of information when used with "--output=json".
The solution seems to be: limit qemu-img ressource using ulimit.
Example of abuse:
-- afl1.img --
$ /usr/bin/time qemu-img info afl1.img
image: afl1.img
[...]
0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
0inputs+0outputs (0major+156927minor)pagefaults 0swaps
The original image is 516 bytes, but it causes qemu-img to allocate
640 MB.
-- afl2.img --
$ qemu-img info --output=json afl2.img | wc -l
589843
This is a 200K image which causes qemu-img info to output half a
million lines of JSON (14 MB of JSON).
Glance runs the --output=json variant of the command.
-- afl3.img --
$ /usr/bin/time qemu-img info afl3.img
image: afl3.img
[...]
0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
0inputs+0outputs (0major+311994minor)pagefaults 0swaps
qemu-img allocates 1.3 GB (actually, a bit more if you play with
ulimit -v). It appears that you could change it to allocate
arbitrarily large amounts of RAM.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list