yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2073413] Re: QcowFormatInspector feature check checks wrong bitmask

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: sean mooney <2073413@xxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Jul 2024 10:08:52 -0000
Reply-to: Bug 2073413 <2073413@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

we currently have no intention to extend the in tree copies of the format inspector to increase 
I_FEATURES_MAX_BIT beyond its hardcoded value fo 4

this is a valid design consideration for the oslo.utils version

and yes we are assuming qcow v3 implicitly most distos moved to v3 quite some time ago.
we do not officially declare which versions of qcow images we support but we have stopped testing with v2
when we moved to ubuntu 22.04 and centos 9 streams since they implicitly convert the images to v3.


** Changed in: nova
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2073413

Title:
  QcowFormatInspector feature check checks wrong bitmask

Status in Cinder:
  New
Status in Glance:
  New
Status in OpenStack Compute (nova):
  Opinion

Bug description:
  Consider the code at
  https://opendev.org/openstack/nova/src/branch/master/nova/image/format_inspector.py#L330

          # This is the maximum byte number we should expect any bits to be set
          max_byte = self.I_FEATURES_MAX_BIT // 8

          # The flag bytes are in big-endian ordering, so if we process
          # them in index-order, they're reversed
          for i, byte_num in enumerate(reversed(range(self.I_FEATURES_LEN))):
              if byte_num == max_byte:
                  # If we're in the max-allowed byte, allow any bits less than
                  # the maximum-known feature flag bit to be set
                  allow_mask = ((1 << self.I_FEATURES_MAX_BIT) - 1)
  ...

              if i_features[i] & ~allow_mask:
                  LOG.warning('Found unknown feature bit in byte %i: %s/%s',
                              byte_num, bin(i_features[byte_num] & ~allow_mask),
                              bin(allow_mask))

  If I_FEATURES_MAX_BIT is 8 or larger, the allow_mask created for the max_byte is incorrect.
  There should be a MOD 8 in the calculation.
  As it is, the created allow_mask will have all bits set in the lower 8 bits and allow all bits in the max_byte byte.

  By sheer luck, the current value of I_FEATURES_MAX_BIT is only 4,
  which keeps this from being an active security vulnerability (only a
  potential one in the future, if this is not fixed before
  I_FEATURES_MAX_BIT is increased).

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2073413/+subscriptions

References

[Bug 2073413] [NEW] QcowFormatInspector feature check checks wrong bitmask
From: Olaf Seibert, 2024-07-17