[openstack-nova/el6] disallow boot from arbitrary volumes (CVE-2013-0208)
Pádraig Brady
pbrady at fedoraproject.org
Tue Jan 29 16:30:21 UTC 2013
commit a136d13e4a7577cf347dbe80cbaab4e81846797c
Author: Pádraig Brady <P at draigBrady.com>
Date: Tue Jan 29 16:16:25 2013 +0000
disallow boot from arbitrary volumes (CVE-2013-0208)
...ot-from-volume-from-specifying-arbitrary-.patch | 95 ++++++++++++++++++++
openstack-nova.spec | 7 +-
2 files changed, 100 insertions(+), 2 deletions(-)
---
diff --git a/0002-disallow-boot-from-volume-from-specifying-arbitrary-.patch b/0002-disallow-boot-from-volume-from-specifying-arbitrary-.patch
new file mode 100644
index 0000000..7a48c53
--- /dev/null
+++ b/0002-disallow-boot-from-volume-from-specifying-arbitrary-.patch
@@ -0,0 +1,95 @@
+From a723a6ceadf9a97b79c1cec3e651062501355e2f Mon Sep 17 00:00:00 2001
+From: Vishvananda Ishaya <vishvananda at gmail.com>
+Date: Thu, 24 Jan 2013 10:07:33 +0000
+Subject: [PATCH] disallow boot from volume from specifying arbitrary volumes
+
+Fix a vulnerability in volume attachment in nova-volume, affecting the
+boot-from-volume feature. By passing a specific volume ID, an
+authenticated user may be able to boot from a volume they don't own,
+potentially resulting in full access to that 3rd-party volume.
+Folsom setups making use of Cinder are not affected.
+
+Fixes bug: 1069904, CVE-2013-0208
+Change-Id: I5f7c8d20d3ebf33ce1ce64bf0a8418bd2b5a6411
+---
+ nova/compute/api.py | 27 ++++++++++++++++++++++-----
+ nova/exception.py | 14 ++++++++++++++
+ 2 files changed, 36 insertions(+), 5 deletions(-)
+
+diff --git a/nova/compute/api.py b/nova/compute/api.py
+index 3742a08..8df3fdf 100644
+--- a/nova/compute/api.py
++++ b/nova/compute/api.py
+@@ -507,6 +507,11 @@ class API(base.Base):
+ security_group, block_device_mapping)
+ instances.append(instance)
+ instance_uuids.append(instance['uuid'])
++ self._validate_bdm(context, instance)
++ # send a state update notification for the initial create to
++ # show it going from non-existent to BUILDING
++ notifications.send_update_with_states(context, instance, None,
++ vm_states.BUILDING, None, None, service="api")
+
+ # In the case of any exceptions, attempt DB cleanup and rollback the
+ # quota reservations.
+@@ -623,6 +628,23 @@ class API(base.Base):
+ self.db.block_device_mapping_update_or_create(elevated_context,
+ values)
+
++ def _validate_bdm(self, context, instance):
++ for bdm in self.db.block_device_mapping_get_all_by_instance(
++ context, instance['uuid']):
++ # NOTE(vish): For now, just make sure the volumes are accessible.
++ snapshot_id = bdm.get('snapshot_id')
++ volume_id = bdm.get('volume_id')
++ if volume_id is not None:
++ try:
++ self.volume_api.get(context, volume_id)
++ except Exception:
++ raise exception.InvalidBDMVolume(id=volume_id)
++ elif snapshot_id is not None:
++ try:
++ self.volume_api.get_snapshot(context, snapshot_id)
++ except Exception:
++ raise exception.InvalidBDMSnapshot(id=snapshot_id)
++
+ def _populate_instance_for_bdm(self, context, instance, instance_type,
+ image, block_device_mapping):
+ """Populate instance block device mapping information."""
+@@ -735,11 +757,6 @@ class API(base.Base):
+ self._populate_instance_for_bdm(context, instance,
+ instance_type, image, block_device_mapping)
+
+- # send a state update notification for the initial create to
+- # show it going from non-existent to BUILDING
+- notifications.send_update_with_states(context, instance, None,
+- vm_states.BUILDING, None, None, service="api")
+-
+ return instance
+
+ def _check_create_policies(self, context, availability_zone,
+diff --git a/nova/exception.py b/nova/exception.py
+index b92e2ab..2eeef04 100644
+--- a/nova/exception.py
++++ b/nova/exception.py
+@@ -223,6 +223,20 @@ class InvalidSnapshot(Invalid):
+ message = _("Invalid snapshot") + ": %(reason)s"
+
+
++class InvalidBDM(Invalid):
++ message = _("Block Device Mapping is Invalid.")
++
++
++class InvalidBDMSnapshot(InvalidBDM):
++ message = _("Block Device Mapping is Invalid: "
++ "failed to get snapshot %(id)s.")
++
++
++class InvalidBDMVolume(InvalidBDM):
++ message = _("Block Device Mapping is Invalid: "
++ "failed to get volume %(id)s.")
++
++
+ class VolumeUnattached(Invalid):
+ message = _("Volume %(volume_id)s is not attached to anything")
+
diff --git a/openstack-nova.spec b/openstack-nova.spec
index b3183ed..e33ece3 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
Name: openstack-nova
Version: 2012.2.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
@@ -44,6 +44,7 @@ Source22: nova-ifc-template
# patches_base=2012.2.2
#
Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+Patch0002: 0002-disallow-boot-from-volume-from-specifying-arbitrary-.patch
# This is EPEL specific and not upstream
Patch100: openstack-nova-newdeps.patch
@@ -362,6 +363,7 @@ This package contains documentation files for nova.
%setup -q -n nova-%{version}
%patch0001 -p1
+%patch0002 -p1
# Apply EPEL patch
%patch100 -p1
@@ -755,7 +757,8 @@ fi
%endif
%changelog
-* Wed Jan 23 2013 Martin Magr <mmagr at redhat.com> - 2012.2.2-1
+* Tue Jan 29 2013 Pádraig Brady <pbrady at redhat.com> - 2012.2.2-2
+- disallow boot from volume from specifying arbitrary volumes (CVE-2013-0208)
- Added python-keystone requirement
* Fri Dec 14 2012 Pádraig Brady <pbrady at redhat.com> - 2012.2.2-1
More information about the scm-commits
mailing list