yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94264
[Bug 2073413] [NEW] QcowFormatInspector feature check checks wrong bitmask
Public bug reported:
Consider the code at
https://opendev.org/openstack/nova/src/branch/master/nova/image/format_inspector.py#L330
# This is the maximum byte number we should expect any bits to be set
max_byte = self.I_FEATURES_MAX_BIT // 8
# The flag bytes are in big-endian ordering, so if we process
# them in index-order, they're reversed
for i, byte_num in enumerate(reversed(range(self.I_FEATURES_LEN))):
if byte_num == max_byte:
# If we're in the max-allowed byte, allow any bits less than
# the maximum-known feature flag bit to be set
allow_mask = ((1 << self.I_FEATURES_MAX_BIT) - 1)
...
if i_features[i] & ~allow_mask:
LOG.warning('Found unknown feature bit in byte %i: %s/%s',
byte_num, bin(i_features[byte_num] & ~allow_mask),
bin(allow_mask))
If I_FEATURES_MAX_BIT is 8 or larger, the allow_mask created for the max_byte is incorrect.
There should be a MOD 8 in the calculation.
As it is, the created allow_mask will have all bits set in the lower 8 bits and allow all bits in the max_byte byte.
By sheer luck, the current value of I_FEATURES_MAX_BIT is only 4, which
keeps this from being an active security vulnerability (only a potential
one in the future, if this is not fixed before I_FEATURES_MAX_BIT is
increased).
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2073413
Title:
QcowFormatInspector feature check checks wrong bitmask
Status in OpenStack Compute (nova):
New
Bug description:
Consider the code at
https://opendev.org/openstack/nova/src/branch/master/nova/image/format_inspector.py#L330
# This is the maximum byte number we should expect any bits to be set
max_byte = self.I_FEATURES_MAX_BIT // 8
# The flag bytes are in big-endian ordering, so if we process
# them in index-order, they're reversed
for i, byte_num in enumerate(reversed(range(self.I_FEATURES_LEN))):
if byte_num == max_byte:
# If we're in the max-allowed byte, allow any bits less than
# the maximum-known feature flag bit to be set
allow_mask = ((1 << self.I_FEATURES_MAX_BIT) - 1)
...
if i_features[i] & ~allow_mask:
LOG.warning('Found unknown feature bit in byte %i: %s/%s',
byte_num, bin(i_features[byte_num] & ~allow_mask),
bin(allow_mask))
If I_FEATURES_MAX_BIT is 8 or larger, the allow_mask created for the max_byte is incorrect.
There should be a MOD 8 in the calculation.
As it is, the created allow_mask will have all bits set in the lower 8 bits and allow all bits in the max_byte byte.
By sheer luck, the current value of I_FEATURES_MAX_BIT is only 4,
which keeps this from being an active security vulnerability (only a
potential one in the future, if this is not fixed before
I_FEATURES_MAX_BIT is increased).
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2073413/+subscriptions
Follow ups