yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #03661
[Bug 1194093] Re: Resource limit circumvention in Nova private flavors (CVE-2013-2256)
** Changed in: nova
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1194093
Title:
Resource limit circumvention in Nova private flavors (CVE-2013-2256)
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) folsom series:
Confirmed
Status in OpenStack Compute (nova) grizzly series:
Confirmed
Status in OpenStack Security Advisories:
In Progress
Status in Tempest:
Invalid
Bug description:
i want to display the bug as follows:
make sure the role is admin: source devstack/openrc admin admin
i create a private flavor as follows:
nova flavor-create test1 7 512 4 2
make sure the role is demo: source devstack/openrc demo demo
ok,now i use 'nova flavor-list'
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+---------------------------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | extra_specs |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+---------------------------+
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | {u'ecus_per_vcpu:': u'1'} |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True | {u'ecus_per_vcpu:': u'1'} |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True | {u'ecus_per_vcpu:': u'1'} |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+---------------------------+
but,when i use 'nova flavor-show' :
nova flavor-show 7
+----------------------------+-------+
| Property | Value |
+----------------------------+-------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 4 |
| extra_specs | {} |
| id | 7 |
| name | test1 |
| os-flavor-access:is_public | False |
| ram | 512 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 2 |
+----------------------------+-------+
so,the demo can boot a new instance with the private flavor.i want to prevent other tenants accessing my private flavor, such as the command: nova flavor-show , only on this way can we prevent the other tenants use my private flavors to create instance.
ok,i modfiy the codes in 'nova/api/openstack/compute/flavors.py' to fix this bug.
def show(self, req, id):
"""Return data about the given flavor id."""
try:
context = req.environ['nova.context']
flavor = instance_types.get_instance_type_by_flavor_id(id, context)
if not context.is_admin:
flavors = self._get_flavors(req)
flavor_is_not = False
for k in flavors:
if k.get('flavorid', None) != flavor.get('flavorid', None)\
and flavor.get('is_public', None) == False:
flavor_is_not = True
if flavor_is_not:
raise webob.exc.HTTPNotFound()
req.cache_db_flavor(flavor)
except exception.NotFound:
raise webob.exc.HTTPNotFound()
return self._view_builder.show(req, flavor)
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1194093/+subscriptions
