openstack
/
nova
Code Issues Proposed changes

Fix format conversion in libvirt snapshot 

The libvirt driver was calling images.convert_image during snapshot to
convert snapshots to the intended output format. However, this
function does not take the input format as an argument, meaning it
implicitly does format detection. This opened an exploit for setups
using raw storage on the backend, including raw on filesystem, LVM,
and RBD (Ceph). An authenticated user could write a qcow2 header to
their instance's disk which specified an arbitrary backing file on the
host. When convert_image ran during snapshot, this would then write
the contents of the backing file to glance, which is then available to
the user. If the setup uses an LVM backend this conversion runs as
root, meaning the user can exfiltrate any file on the host, including
raw disks.

This change adds an input format to convert_image.

Partial-Bug: #1524274

Change-Id: If73e73718ecd5db262ed9904091024238f98dbc0
This commit is contained in:
Matthew Booth 2015-12-10 16:34:19 +00:00
parent 2bb6635a21
commit 820430b62a
4 changed files with 43 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nova/tests/unit/virt/libvirt/test_driver.py
View File

@ -15480,7 +15480,7 @@ class LibvirtVolumeSnapshotTestCase(test.NoDBTestCase):
self.mox.VerifyAll()
def _fake_convert_image(source, dest, out_format,
def _fake_convert_image(source, dest, in_format, out_format,
run_as_root=True):
libvirt_driver.libvirt_utils.files[dest] = ''
@ -15629,7 +15629,8 @@ class LVMSnapshotTests(_BaseSnapshotTests):
mock_volume_info.assert_has_calls([mock.call('/dev/nova-vg/lv')])
mock_convert_image.assert_called_once_with(
'/dev/nova-vg/lv', mock.ANY, disk_format, run_as_root=True)
'/dev/nova-vg/lv', mock.ANY, 'raw', disk_format,
run_as_root=True)
def test_raw(self):
self._test_lvm_snapshot('raw')

3
nova/tests/unit/virt/libvirt/test_utils.py
View File

@ -627,7 +627,8 @@ disk size: 4.4M
target = 't.qcow2'
self.executes = []
expected_commands = [('qemu-img', 'convert', '-O', 'raw',
't.qcow2.part', 't.qcow2.converted'),
't.qcow2.part', 't.qcow2.converted',
'-f', 'qcow2'),
('rm', 't.qcow2.part'),
('mv', 't.qcow2.converted', 't.qcow2')]
images.fetch_to_raw(context, image_id, target, user_id, project_id,

26
nova/virt/images.py
View File

@ -66,9 +66,31 @@ def qemu_img_info(path):
return imageutils.QemuImgInfo(out)
def convert_image(source, dest, out_format, run_as_root=False):
def convert_image(source, dest, in_format, out_format, run_as_root=False):
"""Convert image to other format."""
if in_format is None:
raise RuntimeError("convert_image without input format is a security"
"risk")
_convert_image(source, dest, in_format, out_format, run_as_root)
def convert_image_unsafe(source, dest, out_format, run_as_root=False):
"""Convert image to other format, doing unsafe automatic input format
detection. Do not call this function.
"""
# NOTE: there is only 1 caller of this function:
# imagebackend.Lvm.create_image. It is not easy to fix that without a
# larger refactor, so for the moment it has been manually audited and
# allowed to continue. Remove this function when Lvm.create_image has
# been fixed.
_convert_image(source, dest, None, out_format, run_as_root)
def _convert_image(source, dest, in_format, out_format, run_as_root):
cmd = ('qemu-img', 'convert', '-O', out_format, source, dest)
if in_format is not None:
cmd = cmd + ('-f', in_format)
utils.execute(*cmd, run_as_root=run_as_root)
@ -123,7 +145,7 @@ def fetch_to_raw(context, image_href, path, user_id, project_id, max_size=0):
staged = "%s.converted" % path
LOG.debug("%s was %s, converting to raw" % (image_href, fmt))
with fileutils.remove_path_on_error(staged):
convert_image(path_tmp, staged, 'raw')
convert_image(path_tmp, staged, fmt, 'raw')
os.unlink(path_tmp)
data = qemu_img_info(staged)

19
nova/virt/libvirt/imagebackend.py
View File

@ -494,7 +494,7 @@ class Raw(Image):
disk.extend(image, size)
def snapshot_extract(self, target, out_format):
images.convert_image(self.path, target, out_format)
images.convert_image(self.path, target, self.driver_format, out_format)
@staticmethod
def is_file_in_instance_path():
@ -652,7 +652,16 @@ class Lvm(Image):
size, sparse=self.sparse)
if self.ephemeral_key_uuid is not None:
encrypt_lvm_image()
images.convert_image(base, self.path, 'raw', run_as_root=True)
# NOTE: by calling convert_image_unsafe here we're
# telling qemu-img convert to do format detection on the input,
# because we don't know what the format is. For example,
# we might have downloaded a qcow2 image, or created an
# ephemeral filesystem locally, we just don't know here. Having
# audited this, all current sources have been sanity checked,
# either because they're locally generated, or because they have
# come from images.fetch_to_raw. However, this is major code smell.
images.convert_image_unsafe(base, self.path, self.driver_format,
run_as_root=True)
if resize:
disk.resize2fs(self.path, run_as_root=True)
@ -704,8 +713,8 @@ class Lvm(Image):
lvm.remove_volumes([self.lv_path])
def snapshot_extract(self, target, out_format):
images.convert_image(self.path, target, out_format,
run_as_root=True)
images.convert_image(self.path, target, self.driver_format,
out_format, run_as_root=True)
def get_model(self, connection):
return imgmodel.LocalBlockImage(self.path)
@ -815,7 +824,7 @@ class Rbd(Image):
self.driver.resize(self.rbd_name, size)
def snapshot_extract(self, target, out_format):
images.convert_image(self.path, target, out_format)
images.convert_image(self.path, target, 'raw', out_format)
@staticmethod
def is_shared_block_storage():