[openstack-nova/el6-essex: 4/4] disallow boot from arbitrary volumes (CVE-2013-0208)

Pádraig Brady pbrady at fedoraproject.org
Tue Jan 29 17:44:54 UTC 2013 

commit 274b4d46a90873943888733bcd62ce3a2dafe873
Author: Pádraig Brady <P at draigBrady.com>
Date:   Tue Jan 29 17:30:25 2013 +0000

    disallow boot from arbitrary volumes (CVE-2013-0208)
    
    (cherry picked from commit 75ff9b7a1c6c8cc51de68998e5637f059995d964)

 ...ot-from-volume-from-specifying-arbitrary-.patch |   70 ++++++++++++++++++++
 openstack-nova.spec                                |    9 ++-
 2 files changed, 76 insertions(+), 3 deletions(-)
---
diff --git a/0013-disallow-boot-from-volume-from-specifying-arbitrary-.patch b/0013-disallow-boot-from-volume-from-specifying-arbitrary-.patch
new file mode 100644
index 0000000..05e833b
--- /dev/null
+++ b/0013-disallow-boot-from-volume-from-specifying-arbitrary-.patch
@@ -0,0 +1,70 @@
+From 10e8755a1491b8da3e66259f000483a8b2ddc716 Mon Sep 17 00:00:00 2001
+From: Vishvananda Ishaya <vishvananda at gmail.com>
+Date: Thu, 24 Jan 2013 10:45:19 +0000
+Subject: [PATCH] disallow boot from volume from specifying arbitrary volumes
+
+Fix a vulnerability in volume attachment in nova-volume, affecting the
+boot-from-volume feature.  By passing a specific volume ID, an
+authenticated user may be able to boot from a volume they don't own,
+potentially resulting in full access to that 3rd-party volume.
+
+Fixes bug: 1069904, CVE-2013-0208
+Change-Id: I5f7c8d20d3ebf33ce1ce64bf0a8418bd2b5a6411
+(cherry picked from commit 243d516cea9d3caa5a8267b12d2f577dcb24193b)
+---
+ nova/compute/api.py |   16 ++++++++++++++++
+ nova/exception.py   |   14 ++++++++++++++
+ 2 files changed, 30 insertions(+), 0 deletions(-)
+
+diff --git a/nova/compute/api.py b/nova/compute/api.py
+index 13570f7..1683f38 100644
+--- a/nova/compute/api.py
++++ b/nova/compute/api.py
+@@ -390,6 +390,22 @@ class API(BaseAPI):
+ 
+         LOG.debug(_("Going to run %s instances...") % num_instances)
+ 
++        # Validate the correct devices have been specified
++        for bdm in block_device_mapping:
++            # NOTE(vish): For now, just make sure the volumes are accessible.
++            snapshot_id = bdm.get('snapshot_id')
++            volume_id = bdm.get('volume_id')
++            if volume_id is not None:
++                try:
++                    self.volume_api.get(context, volume_id)
++                except Exception:
++                    raise exception.InvalidBDMVolume(id=volume_id)
++            elif snapshot_id is not None:
++                try:
++                    self.volume_api.get_snapshot(context, snapshot_id)
++                except Exception:
++                    raise exception.InvalidBDMSnapshot(id=snapshot_id)
++
+         if create_instance_here:
+             instance = self.create_db_entry_for_new_instance(
+                     context, instance_type, image, base_options,
+diff --git a/nova/exception.py b/nova/exception.py
+index 107d926..1f1fa53 100644
+--- a/nova/exception.py
++++ b/nova/exception.py
+@@ -309,6 +309,20 @@ class InstanceInvalidState(Invalid):
+                 "%(method)s while the instance is in this state.")
+ 
+ 
++class InvalidBDM(Invalid):
++    message = _("Block Device Mapping is Invalid.")
++
++
++class InvalidBDMSnapshot(InvalidBDM):
++    message = _("Block Device Mapping is Invalid: "
++                "failed to get snapshot %(id)s.")
++
++
++class InvalidBDMVolume(InvalidBDM):
++    message = _("Block Device Mapping is Invalid: "
++                "failed to get volume %(id)s.")
++
++
+ class InstanceNotRunning(Invalid):
+     message = _("Instance %(instance_id)s is not running.")
+ 
diff --git a/openstack-nova.spec b/openstack-nova.spec
index b7733bd..a7a4348 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
 
 Name:             openstack-nova
 Version:          2012.1.3
-Release:          1%{?dist}
+Release:          3%{?dist}
 Summary:          OpenStack Compute (nova)
 
 Group:            Applications/System
@@ -55,6 +55,7 @@ Patch0009: 0009-EC2-DescribeImages-reports-correct-rootDeviceType.patch
 Patch0010: 0010-Reject-EC2-CreateImage-for-instance-store.patch
 Patch0011: 0011-Fix-EC2-CreateImage-no_reboot-logic.patch
 Patch0012: 0012-Avoid-RPC-calls-while-holding-iptables-lock.patch
+Patch0013: 0013-disallow-boot-from-volume-from-specifying-arbitrary-.patch
 
 # This is EPEL specific and not upstream
 Patch100:         openstack-nova-newdeps.patch
@@ -382,6 +383,7 @@ This package contains documentation files for nova.
 %patch0010 -p1
 %patch0011 -p1
 %patch0012 -p1
+%patch0013 -p1
 
 # Apply EPEL patch
 %patch100 -p1
@@ -772,8 +774,9 @@ fi
 %endif
 
 %changelog
-* Thu Nov 29 2012 Nikola Dipanov <ndipanov at redhat.com> - 2012.1.3-2
-- nova.conf default configuration tweak to prevent image deletion due to an imagecahce bug
+* Tue Jan 29 2013 Pádraig Brady <pbrady at redhat.com> - 2012.1.3-3
+- disallow boot from volume from specifying arbitrary volumes (CVE-2013-0208)
+- Disable image cache cleanup to avoid issues with shared storage
 
 * Fri Oct 12 2012 Nikola Dipanov <ndipanov at redhat.com> - 2012.1.3-1
 - Restore libvirt block storage connections on reboot

More information about the scm-commits mailing list