← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2073413] [NEW] QcowFormatInspector feature check checks wrong bitmask

 

Public bug reported:

Consider the code at
https://opendev.org/openstack/nova/src/branch/master/nova/image/format_inspector.py#L330


        # This is the maximum byte number we should expect any bits to be set
        max_byte = self.I_FEATURES_MAX_BIT // 8

        # The flag bytes are in big-endian ordering, so if we process
        # them in index-order, they're reversed
        for i, byte_num in enumerate(reversed(range(self.I_FEATURES_LEN))):
            if byte_num == max_byte:
                # If we're in the max-allowed byte, allow any bits less than
                # the maximum-known feature flag bit to be set
                allow_mask = ((1 << self.I_FEATURES_MAX_BIT) - 1)
...

            if i_features[i] & ~allow_mask:
                LOG.warning('Found unknown feature bit in byte %i: %s/%s',
                            byte_num, bin(i_features[byte_num] & ~allow_mask),
                            bin(allow_mask))


If I_FEATURES_MAX_BIT is 8 or larger, the allow_mask created for the max_byte is incorrect.
There should be a MOD 8 in the calculation.
As it is, the created allow_mask will have all bits set in the lower 8 bits and allow all bits in the max_byte byte.

By sheer luck, the current value of I_FEATURES_MAX_BIT is only 4, which
keeps this from being an active security vulnerability (only a potential
one in the future, if this is not fixed before I_FEATURES_MAX_BIT is
increased).

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2073413

Title:
  QcowFormatInspector feature check checks wrong bitmask

Status in OpenStack Compute (nova):
  New

Bug description:
  Consider the code at
  https://opendev.org/openstack/nova/src/branch/master/nova/image/format_inspector.py#L330

  
          # This is the maximum byte number we should expect any bits to be set
          max_byte = self.I_FEATURES_MAX_BIT // 8

          # The flag bytes are in big-endian ordering, so if we process
          # them in index-order, they're reversed
          for i, byte_num in enumerate(reversed(range(self.I_FEATURES_LEN))):
              if byte_num == max_byte:
                  # If we're in the max-allowed byte, allow any bits less than
                  # the maximum-known feature flag bit to be set
                  allow_mask = ((1 << self.I_FEATURES_MAX_BIT) - 1)
  ...

              if i_features[i] & ~allow_mask:
                  LOG.warning('Found unknown feature bit in byte %i: %s/%s',
                              byte_num, bin(i_features[byte_num] & ~allow_mask),
                              bin(allow_mask))

  
  If I_FEATURES_MAX_BIT is 8 or larger, the allow_mask created for the max_byte is incorrect.
  There should be a MOD 8 in the calculation.
  As it is, the created allow_mask will have all bits set in the lower 8 bits and allow all bits in the max_byte byte.

  By sheer luck, the current value of I_FEATURES_MAX_BIT is only 4,
  which keeps this from being an active security vulnerability (only a
  potential one in the future, if this is not fixed before
  I_FEATURES_MAX_BIT is increased).

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2073413/+subscriptions



Follow ups