yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85569
[Bug 1552042] Re: Host data corruption through nova inject_key feature
The fix merged to master
https://review.opendev.org/c/openstack/nova/+/324720
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1552042
Title:
Host data corruption through nova inject_key feature
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Reported by Garth Mollett from Red Hat.
The nova.virt.disk.vfs.VFSLocalFS has measures to prevent symlink
traversal outside of the root of the images directory but it does not
prevent access to device nodes inside the image itself. A simple fix
should be to mount with the 'nodev' option.
Under certain circumstances, the boot process will fold back to
VFSLocalFS when trying to inject the public key, for libvirt:
* when libguestfs is not installed or can't be loaded.
* use_cow_images=false and inject_partition for non-nbd
* for loopback mount at least, there is a race condition to win in virt/disk/mount/api.py between kpartx and a /dev/mapper/ file creation: os.path.exists can run before the path exists even though it's there half a second later.
The xenapi is also likely vulnerable, though untested.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1552042/+subscriptions