yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1449062@xxxxxxxxxxxxxxxxxx>
Date: Thu, 09 Jun 2016 10:17:29 -0000
Reply-to: Bug 1449062 <1449062@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/307663
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=068d851561addfefb2b812d91dc2011077cb6e1d
Submitter: Jenkins
Branch:    master

commit 068d851561addfefb2b812d91dc2011077cb6e1d
Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
Date:   Mon Apr 18 16:32:19 2016 +0000

    virt: set address space & CPU time limits when running qemu-img
    
    This uses the new 'prlimit' parameter for oslo.concurrency execute
    method, to set an address space limit of 1GB and CPU time limit
    of 2 seconds, when running qemu-img.
    
    This is a re-implementation of the previously reverted commit
    
    commit da217205f53f9a38a573fb151898fbbeae41021d
    Author: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
    Date:   Wed Aug 5 17:17:04 2015 +0000
    
        virt: Use preexec_fn to ulimit qemu-img info call
    
    Closes-Bug: #1449062
    Change-Id: I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1449062

Title:
  qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Status in Cinder:
  New
Status in Glance:
  In Progress
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Confirmed

Bug description:
  Reported via private E-mail from Richard W.M. Jones.

  Turns out qemu image parser is not hardened against malicious input
  and can be abused to allocated an arbitrary amount of memory and/or
  dump a lot of information when used with "--output=json".

  The solution seems to be: limit qemu-img ressource using ulimit.

  Example of abuse:

  -- afl1.img --

  $ /usr/bin/time qemu-img info afl1.img
  image: afl1.img
  [...]
  0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
  0inputs+0outputs (0major+156927minor)pagefaults 0swaps

  The original image is 516 bytes, but it causes qemu-img to allocate
  640 MB.

  -- afl2.img --

  $ qemu-img info --output=json afl2.img | wc -l
  589843

  This is a 200K image which causes qemu-img info to output half a
  million lines of JSON (14 MB of JSON).

  Glance runs the --output=json variant of the command.

  -- afl3.img --

  $ /usr/bin/time qemu-img info afl3.img
  image: afl3.img
  [...]
  0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
  0inputs+0outputs (0major+311994minor)pagefaults 0swaps

  qemu-img allocates 1.3 GB (actually, a bit more if you play with
  ulimit -v).  It appears that you could change it to allocate
  arbitrarily large amounts of RAM.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions