[Openstack-security] [Bug 1218977] Re: DOS by passing an ephemeral or swap of arbitrary size
OpenStack Infra
1218977 at bugs.launchpad.net
Tue Sep 3 15:53:40 UTC 2013
Reviewed: https://review.openstack.org/44864
Committed: http://github.com/openstack/nova/commit/fcf712ec3538d4e07e0c0da6fadcd4f2ea7747fc
Submitter: Jenkins
Branch: master
commit fcf712ec3538d4e07e0c0da6fadcd4f2ea7747fc
Author: Nikola Dipanov <ndipanov at redhat.com>
Date: Fri Aug 30 16:40:43 2013 +0200
Check ephemeral and swap size in the API
Validate that ephemeral and swap disks passed in trough the API are
within size limits for the given instance type. The validation is done
in the API layer.
Closes-bug #1218977
Change-Id: I96c6e651e4b221313c39dfc41e79d536585fb955
** Changed in: nova
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1218977
Title:
DOS by passing an ephemeral or swap of arbitrary size
Status in OpenStack Compute (Nova):
Fix Committed
Bug description:
Due to a previous bug that was never caught and the fact that we can
now pass ephemeral and block devices through the API, it is possible
to ask nova to create an arbitrarily large ephemeral block device -
which nova will happily do (and by default make it raw).
The bug was introduced in commit
0ef7e15e225efcce3e02098cb1d57f9f40181f82 as before that commit the
ephemeral device size will be defaulted to whatever was in the
instance_type - due to a bug this defaulting was not done anymore (see
compute.api.API._update_block_device_mapping).
Steps to reproduce:
ndipanov at localhost devstack]$ nova flavor-show 1
+----------------------------+---------+
| Property | Value |
+----------------------------+---------+
| name | m1.tiny |
| ram | 512 |
| OS-FLV-DISABLED:disabled | False |
| vcpus | 1 |
| extra_specs | {} |
| swap | |
| os-flavor-access:is_public | True |
| rxtx_factor | 1.0 |
| OS-FLV-EXT-DATA:ephemeral | 0 | <--- Ephemeral is 0
| disk | 1 |
| id | 1 |
+----------------------------+---------+
[ndipanov at localhost devstack]$ nova --debug boot --image 308f190c-d2f7-44fe-9b6d-7a28e2e2aa64 --flavor 1 --block-device source=blank,dest=local,size=2,device=vdb testvme2 #using the not yet merged novaclient patch https://review.openstack.org/#/c/38815/. The request dict is as follows: '{"server": {"name": "testvme2", "imageRef": "308f190c-d2f7-44fe-9b6d-7a28e2e2aa64", "block_device_mapping_v2": [{"source_type": "image", "delete_on_termination": true, "boot_index": 0, "uuid": "308f190c-d2f7-44fe-9b6d-7a28e2e2aa64", "destination_type": "local"}, {"source_type": "blank", "delete_on_termination": true, "device_name": "vdb", "volume_size": "2", "destination_type": "local"}], "flavorRef": "1", "max_count": 1, "min_count": 1}}'
[ndipanov at localhost devstack]$ nova list
+--------------------------------------+----------+--------+------------+-------------+------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------+--------+------------+-------------+------------------+
| 6c8a571c-3c1b-4fef-800e-0cecea927566 | testvme2 | ACTIVE | None | Running | private=10.0.0.2 |
+--------------------------------------+----------+--------+------------+-------------+------------------+
[ndipanov at localhost devstack]$ cd /opt/stack/data/nova/instances/_base/
[ndipanov at localhost _base]$ ls -lah
total 130M
drwxrwxr-x. 2 ndipanov libvirtd 4.0K Aug 30 10:59 .
drwxr-xr-x. 5 ndipanov root 4.0K Aug 30 10:59 ..
-rw-rw-r--. 1 ndipanov libvirtd 4.8M Aug 30 10:59 65706cf4-0f63-4cf6-a8ee-a1dc447a6380
-rw-rw-r--. 1 qemu qemu 24M Aug 30 10:59 8bf383ae7171db9b882fc6e33eebf619896d67b7
-rw-r--r--. 1 qemu qemu 2.0G Aug 30 10:59 ephemeral_2_default
-rw-rw-r--. 1 ndipanov libvirtd 3.6M Aug 30 10:59 fe478037-cd36-4517-b886-fd6e14d7462e
We can see that the raw image was happily created by nova. completely
disregarding the limitation.
I have attached a proposed patch.
This bug only affects current trunk as of the commit mentioned above.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1218977/+subscriptions
More information about the Openstack-security
mailing list