yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1552042] Re: Host data corruption through nova inject_key feature

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Balazs Gibizer <1552042@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Mar 2021 08:06:38 -0000
Reply-to: Bug 1552042 <1552042@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The fix merged to master
https://review.opendev.org/c/openstack/nova/+/324720

** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1552042

Title:
  Host data corruption through nova inject_key feature

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Reported by Garth Mollett from Red Hat.

  The nova.virt.disk.vfs.VFSLocalFS has measures to prevent symlink
  traversal outside of the root of the images directory but it does not
  prevent access to device nodes inside the image itself. A simple fix
  should be to mount with the 'nodev' option.

  Under certain circumstances, the boot process will fold back to
  VFSLocalFS when trying to inject the public key, for libvirt:

  * when libguestfs is not installed or can't be loaded.
  * use_cow_images=false and inject_partition for non-nbd
  * for loopback mount at least, there is a race condition to win in virt/disk/mount/api.py between kpartx and a /dev/mapper/ file creation: os.path.exists can run before the path exists even though it's there half a second later.

  The xenapi is also likely vulnerable, though untested.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1552042/+subscriptions