yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94303
[Bug 2071734] Re: [OSSA-2024-002] Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767)
Reviewed: https://review.opendev.org/c/openstack/ossa/+/924735
Committed: https://opendev.org/openstack/ossa/commit/43ab26efbd928d03f6d8f93b7f6ff2afd765e4fc
Submitter: "Zuul (22348)"
Branch: master
commit 43ab26efbd928d03f6d8f93b7f6ff2afd765e4fc
Author: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Tue Jul 23 13:25:26 2024 +0000
Add OSSA-2024-002 (CVE-2024-40767)
Change-Id: I0108e766ac2aa8145860736a92115b5a963d38aa
Closes-Bug: #2071734
** Changed in: ossa
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2071734
Title:
[OSSA-2024-002] Incomplete file access fix and regression for QCOW2
backing files and VMDK flat descriptors (CVE-2024-40767)
Status in OpenStack Compute (nova):
In Progress
Status in OpenStack Security Advisory:
Fix Released
Bug description:
When fixing bug #2059809, a regression of the previous bug #1996188
has been introduced.
TLDR: nova is allowing back VMDK with wrong types and QCOW with
backing files.
Long:
The following steps were used to reproduce on a Bobcat (2023.2)
OpenStack + nova patches for bug #2059809 (not yet merge when writing
this report)
Create a vmdk file:
$ qemu-img create -f vmdk disk-vmdk.vmdk 1M -o subformat=monolithicFlat
$ sed -i -r 's|disk-vmdk-flat.vmdk|/etc/hosts|' disk-vmdk.vmdk
Create a faulty qcow image:
$ qemu-img create -f qcow2 -F raw -b /etc/hosts disk-bf.qcow2 1M
Upload both images as raw (the default)
$ for i in disk-bf.qcow2 disk-vmdk.vmdk ; do openstack image create --file $i $i ; done
Boot an instance from those images:
$ openstack server create --flavor small --image disk-vmdk.vmdk --net public disk-vmdk.vmdk
$ openstack server create --flavor small --image disk-bf.qcow2 --net public disk-bf.qcow2
Results
=======
VMDK monolithicFlat
-------------------
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 2615, in _build_and_run_instance
self.driver.spawn(context, instance, image_meta,
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 4388, in spawn
created_instance_dir, created_disks = self._create_image(
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 4790, in _create_image
created_disks = self._create_and_inject_local_root(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 4921, in _create_and_inject_local_root
self._try_fetch_image_cache(backend, fetch_func, context,
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 10940, in _try_fetch_image_cache
image.cache(fetch_func=fetch_func,
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/imagebackend.py", line 288, in cache
self.create_image(fetch_func_sync, base, size,
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/imagebackend.py", line 615, in create_image
copy_raw_image(base, self.path, size)
File "/usr/lib/python3/dist-packages/oslo_concurrency/lockutils.py", line 414, in inner
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/imagebackend.py", line 590, in copy_raw_image
self.resize_image(size)
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/imagebackend.py", line 621, in resize_image
disk.extend(image, size)
File "/usr/lib/python3/dist-packages/nova/virt/disk/api.py", line 128, in extend
processutils.execute('qemu-img', 'resize', image.path, size)
File "/usr/lib/python3/dist-packages/oslo_concurrency/processutils.py", line 438, in execute
raise ProcessExecutionError(exit_code=_returncode,
oslo_concurrency.processutils.ProcessExecutionError: Unexpected error while running command.
Command: qemu-img resize /var/lib/nova/instances/07b5907b-5efc-4fdf-8b15-4b47a820c2f8/disk 2147483648
Exit code: 1
Stdout: ''
Stderr: "qemu-img: Could not open '/var/lib/nova/instances/07b5907b-5efc-4fdf-8b15-4b47a820c2f8/disk': Could not open '/etc/hosts': Permission denied\n"
Qemu tried to read /etc/hosts. My system permissions prevented it, but
nova did nothing about it: wrong.
QEMU Backing File
-----------------
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 2615, in _build_and_run_instance
self.driver.spawn(context, instance, image_meta,
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 4415, in spawn
self._create_guest_with_network(
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 7785, in _create_guest_with_network
with excutils.save_and_reraise_exception():
File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
self.force_reraise()
File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
raise self.value
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 7763, in _create_guest_with_network
guest = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 7702, in _create_guest
guest.launch(pause=pause)
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/guest.py", line 167, in launch
with excutils.save_and_reraise_exception():
File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
self.force_reraise()
File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
raise self.value
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/guest.py", line 165, in launch
return self._domain.createWithFlags(flags)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/eventlet/tpool.py", line 193, in doit
result = proxy_call(self._autowrap, f, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/eventlet/tpool.py", line 151, in proxy_call
rv = execute(f, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/eventlet/tpool.py", line 132, in execute
six.reraise(c, e, tb)
File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3/dist-packages/eventlet/tpool.py", line 86, in tworker
rv = meth(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/libvirt.py", line 1409, in createWithFlags
raise libvirtError('virDomainCreateWithFlags() failed')
libvirt.libvirtError: internal error: cannot update AppArmor profile 'libvirt-6bd32822-2454-402a-9617-6ec66e0090f4'
In libvirtd journalctl:
Jul 02 20:22:44 compute-1 libvirtd[959438]: internal error: Child
process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper
-r -u libvirt-6bd32822-2454-402a-9617-6ec66e0090f4 -F /dev/net/tun)
unexpected exit status 1: virt-aa-helper: error: /etc/hosts
Here it's apparmor that prevented the boot, but nova should have
catched it: wrong
Expected results
----------------
Nova should raise an exception like it does previously.
E.G. for VMDK: nova.exception.ImageUnacceptable: Image xyz is unacceptable: Invalid VMDK create-type specified
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2071734/+subscriptions