← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1194093] Re: [OSSA 2013-019] Resource limit circumvention in Nova private flavors (CVE-2013-2256)

 

** Changed in: nova/grizzly
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1194093

Title:
  [OSSA 2013-019] Resource limit circumvention in Nova private flavors
  (CVE-2013-2256)

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) folsom series:
  Fix Committed
Status in OpenStack Compute (nova) grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  i want to display the bug as follows:
  make  sure  the role is admin:  source  devstack/openrc  admin admin
  i create a private flavor as follows:

  nova  flavor-create test1   7    512    4    2

  make  sure  the role is demo:  source  devstack/openrc  demo demo

  ok,now i use 'nova flavor-list'
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+---------------------------+
  | ID | Name      | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | extra_specs               |
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+---------------------------+
  | 3  | m1.medium | 4096      | 40   | 0         |      | 2     | 1.0         | True      | {u'ecus_per_vcpu:': u'1'} |
  | 4  | m1.large      | 8192      | 80   | 0         |      | 4     | 1.0             | True      |  {u'ecus_per_vcpu:': u'1'} |
  | 5  | m1.xlarge    | 16384     | 160  | 0         |      | 8     | 1.0         | True      | {u'ecus_per_vcpu:': u'1'} |

  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+---------------------------+
  but,when i use 'nova flavor-show'   :
  nova flavor-show  7
  +----------------------------+-------+
  | Property                   | Value |
  +----------------------------+-------+
  | OS-FLV-DISABLED:disabled   | False |
  | OS-FLV-EXT-DATA:ephemeral  | 0     |
  | disk                       | 4     |
  | extra_specs                | {}    |
  | id                         | 7     |
  | name                       | test1 |
  | os-flavor-access:is_public | False |
  | ram                        | 512   |
  | rxtx_factor                | 1.0   |
  | swap                       |       |
  | vcpus                      | 2     |
  +----------------------------+-------+
  so,the demo can boot a new instance with the  private flavor.i want to prevent other tenants accessing my private flavor, such as the  command:  nova flavor-show , only on this way can we prevent the other tenants use my private flavors to create instance.

  ok,i modfiy the codes in 'nova/api/openstack/compute/flavors.py' to fix this bug.
  def show(self, req, id):
      """Return data about the given flavor id."""
      try:

       context = req.environ['nova.context'] 
       flavor = instance_types.get_instance_type_by_flavor_id(id, context)

      
       if not context.is_admin:
           flavors = self._get_flavors(req)
           flavor_is_not = False
          for k in flavors:
              if k.get('flavorid', None) != flavor.get('flavorid', None)\
                                 and flavor.get('is_public', None) == False:
                  flavor_is_not = True
          if flavor_is_not:
              raise webob.exc.HTTPNotFound()
      req.cache_db_flavor(flavor)
      except exception.NotFound:
          raise webob.exc.HTTPNotFound()

      return self._view_builder.show(req, flavor)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1194093/+subscriptions