← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1253980] Re: [OSSA 2013-037] DoS attack via setting os_type in snapshots (CVE-2013-6437)

 

** Changed in: nova/grizzly
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1253980

Title:
  [OSSA 2013-037] DoS attack via setting os_type in snapshots
  (CVE-2013-6437)

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) grizzly series:
  Fix Released
Status in OpenStack Compute (nova) havana series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  If the os_type metadata is set of an image, the ephemeral disk backing file for that image will be named ephemeral_[size]_[os_type].
  Because the user can change os_type they can use this to create new ephemeral backing files.
  Nova image cache management does not include deleting ephemeral backing files (presumably because they are expected to be a small, stable set.

  Hence a user can fill the disk with ephemeral backing files via the
  following:

  1) Spawn a instance
  2) Create a snapshot from it, delete the original instance
  3) In a loop:
  generate a random os_type
  set os_type to the snapshot
  spawn and instance from it, and then delete the instance

  Every iteration will generate an ephemeral backing file on a compute
  host.  With a stacking scheduling policy there is a good chance of
  hitting the same host repeatedly until its disk is full.

  Suggested mitigation

  Only use “os_type” in the ephemeral file name if there is a specific
  mkfs command defined, otherwise use “default”   (Currently for
  undefined os-types it will use the default mkfs command, but still
  uses os_type in the name.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1253980/+subscriptions