[Openstack-security] [Bug 1673085] Re: scheduler hints are unbounded and never deleted
Jeremy Stanley
fungi at yuggoth.org
Thu Mar 23 18:25:13 UTC 2017
OSSA are specific to issues fixed in supported stable branches. If they
can only be fixed in master (and so future major releases), we don't
issue advisories because there is no fix for operators to apply.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1673085
Title:
scheduler hints are unbounded and never deleted
Status in OpenStack Compute (nova):
New
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
I'm initially reporting this as a potential security issue but it
might not be, I'm just looking for feedback from the VMT.
The scheduler_hints in the compute API are stored in the
request_specs.spec column in the nova_api database:
https://github.com/openstack/nova/blob/15.0.1/nova/db/sqlalchemy/api_models.py#L171
There is no limit on the size of the keys or values, or number of
hints, in the API:
https://github.com/openstack/nova/blob/15.0.1/nova/api/openstack/compute/schemas/scheduler_hints.py#L18
There are some pre-defined hints, but additionalProperties=True in the
json schema means that one can provide any hints they want.
So I could boot a server with a scheduler_hints dict that has a
million keys which are a million characters long. At best that just
results in a 500 because the column size limit in the database rejects
the json blob size. According to the mysql 5.7 docs:
https://dev.mysql.com/doc/refman/5.7/en/string-type-overview.html
"TEXT[(M)] [CHARACTER SET charset_name] [COLLATE collation_name]
A TEXT column with a maximum length of 65,535 (216 − 1) characters.
The effective maximum length is less if the value contains multibyte
characters. Each TEXT value is stored using a 2-byte length prefix
that indicates the number of bytes in the value."
At worst, I'm able to work backward from a million until I found out
the limit at which I can fill the request_specs.spec column and then
just hammer the compute API, filling up the nova_api database.
So there are two issues:
1. No key/value size limit in the API json schema for scheduler hints.
2. No quota limit on the number of hints one can provide (unlike quota
limits on user-provided metadata key/value pairs which are limited to
255 for the key/value and 128 for the quota).
Add to this the fact that we never delete request_specs entries from
the nova_api database automatically (that's being worked on here:
https://review.openstack.org/#/c/391060/ ).
This might not be a security issue, it might just be poor API design
and we can tighten things up to avoid a 500 error with quota limits
and json schema validation on the key/value size on each hint, and
also delete request specs when we delete an instance.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1673085/+subscriptions
More information about the Openstack-security
mailing list