summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSean McGinnis <sean_mcginnis@dell.com>2016-09-22 15:31:37 -0500
committerSean McGinnis <sean.mcginnis@gmail.com>2016-09-22 20:48:27 +0000
commit8547444775e406a50d9d26a0003e9ba6554b0d70 (patch)
tree19f36432a1d2dd3cfb01f4bd431ff4c25b799045
parent5eee3b86274c44f7d782128278b385e8caa8f9ae (diff)
Limit memory & CPU when running qemu-img info
It was found that a modified or corrupted image file can cause a DoS on the host when getting image info with qemu-img. This uses the newer 'prlimit' parameter for oslo.concurrency execute to set an address space limit of 1GB and CPU time limit of 2 seconds when running the qemu-img info command. Change-Id: If5b7129b266ef065642bc7898ce9dcf93722a053 Closes-bug: #1449062 (cherry picked from commit 78f17f0ad79380ee3d9c50f2670252bcc559b62b)
Notes
Notes (review): Code-Review+1: Eric Harney <eharney@redhat.com> Code-Review+1: Jay Bryant <jsbryant@us.ibm.com> Code-Review+2: John Griffith <john.griffith8@gmail.com> Workflow+1: John Griffith <john.griffith8@gmail.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Fri, 23 Sep 2016 16:56:17 +0000 Reviewed-on: https://review.openstack.org/375102 Project: openstack/cinder Branch: refs/heads/stable/newton
-rw-r--r--cinder/image/image_utils.py6
-rw-r--r--cinder/tests/unit/test_image_utils.py9
-rw-r--r--releasenotes/notes/apply-limits-to-qemu-img-29f722a1bf4b91f8.yaml7
3 files changed, 18 insertions, 4 deletions
diff --git a/cinder/image/image_utils.py b/cinder/image/image_utils.py
index fac5cd9..b904165 100644
--- a/cinder/image/image_utils.py
+++ b/cinder/image/image_utils.py
@@ -54,6 +54,9 @@ image_helper_opts = [cfg.StrOpt('image_conversion_dir',
54CONF = cfg.CONF 54CONF = cfg.CONF
55CONF.register_opts(image_helper_opts) 55CONF.register_opts(image_helper_opts)
56 56
57QEMU_IMG_LIMITS = processutils.ProcessLimits(
58 cpu_time=2,
59 address_space=1 * units.Gi)
57 60
58# NOTE(abhishekk): qemu-img convert command supports raw, qcow2, qed, 61# NOTE(abhishekk): qemu-img convert command supports raw, qcow2, qed,
59# vdi, vmdk, vhd and vhdx disk-formats but glance doesn't support qed 62# vdi, vmdk, vhd and vhdx disk-formats but glance doesn't support qed
@@ -71,7 +74,8 @@ def qemu_img_info(path, run_as_root=True):
71 cmd = ('env', 'LC_ALL=C', 'qemu-img', 'info', path) 74 cmd = ('env', 'LC_ALL=C', 'qemu-img', 'info', path)
72 if os.name == 'nt': 75 if os.name == 'nt':
73 cmd = cmd[2:] 76 cmd = cmd[2:]
74 out, _err = utils.execute(*cmd, run_as_root=run_as_root) 77 out, _err = utils.execute(*cmd, run_as_root=run_as_root,
78 prlimit=QEMU_IMG_LIMITS)
75 return imageutils.QemuImgInfo(out) 79 return imageutils.QemuImgInfo(out)
76 80
77 81
diff --git a/cinder/tests/unit/test_image_utils.py b/cinder/tests/unit/test_image_utils.py
index 95dd82b..b1eac40 100644
--- a/cinder/tests/unit/test_image_utils.py
+++ b/cinder/tests/unit/test_image_utils.py
@@ -39,7 +39,8 @@ class TestQemuImgInfo(test.TestCase):
39 39
40 output = image_utils.qemu_img_info(test_path) 40 output = image_utils.qemu_img_info(test_path)
41 mock_exec.assert_called_once_with('env', 'LC_ALL=C', 'qemu-img', 41 mock_exec.assert_called_once_with('env', 'LC_ALL=C', 'qemu-img',
42 'info', test_path, run_as_root=True) 42 'info', test_path, run_as_root=True,
43 prlimit=image_utils.QEMU_IMG_LIMITS)
43 self.assertEqual(mock_info.return_value, output) 44 self.assertEqual(mock_info.return_value, output)
44 45
45 @mock.patch('oslo_utils.imageutils.QemuImgInfo') 46 @mock.patch('oslo_utils.imageutils.QemuImgInfo')
@@ -52,7 +53,8 @@ class TestQemuImgInfo(test.TestCase):
52 53
53 output = image_utils.qemu_img_info(test_path, run_as_root=False) 54 output = image_utils.qemu_img_info(test_path, run_as_root=False)
54 mock_exec.assert_called_once_with('env', 'LC_ALL=C', 'qemu-img', 55 mock_exec.assert_called_once_with('env', 'LC_ALL=C', 'qemu-img',
55 'info', test_path, run_as_root=False) 56 'info', test_path, run_as_root=False,
57 prlimit=image_utils.QEMU_IMG_LIMITS)
56 self.assertEqual(mock_info.return_value, output) 58 self.assertEqual(mock_info.return_value, output)
57 59
58 @mock.patch('cinder.image.image_utils.os') 60 @mock.patch('cinder.image.image_utils.os')
@@ -67,7 +69,8 @@ class TestQemuImgInfo(test.TestCase):
67 69
68 output = image_utils.qemu_img_info(test_path) 70 output = image_utils.qemu_img_info(test_path)
69 mock_exec.assert_called_once_with('qemu-img', 'info', test_path, 71 mock_exec.assert_called_once_with('qemu-img', 'info', test_path,
70 run_as_root=True) 72 run_as_root=True,
73 prlimit=image_utils.QEMU_IMG_LIMITS)
71 self.assertEqual(mock_info.return_value, output) 74 self.assertEqual(mock_info.return_value, output)
72 75
73 @mock.patch('cinder.utils.execute') 76 @mock.patch('cinder.utils.execute')
diff --git a/releasenotes/notes/apply-limits-to-qemu-img-29f722a1bf4b91f8.yaml b/releasenotes/notes/apply-limits-to-qemu-img-29f722a1bf4b91f8.yaml
new file mode 100644
index 0000000..1ec4c3e
--- /dev/null
+++ b/releasenotes/notes/apply-limits-to-qemu-img-29f722a1bf4b91f8.yaml
@@ -0,0 +1,7 @@
1---
2security:
3 - The qemu-img tool now has resource limits applied
4 which prevent it from using more than 1GB of address
5 space or more than 2 seconds of CPU time. This provides
6 protection against denial of service attacks from
7 maliciously crafted or corrupted disk images.