[openstack-nova] Adds the check QCOW2 image size patch
Nikola Dipanov
ndipanov at fedoraproject.org
Fri May 17 10:44:54 UTC 2013
commit 1596e2c1b1d7eef853937b9379942d40a05e5405
Author: Nikola Dipanov <ndipanov at redhat.com>
Date: Fri May 17 12:04:12 2013 +0200
Adds the check QCOW2 image size patch
Fixes CVE-2013-2096
...e-don-t-access-the-net-when-building-docs.patch | 6 +-
...COW2-image-size-during-root-disk-creation.patch | 93 ++++++++++++++++++++
openstack-nova.spec | 7 ++-
3 files changed, 102 insertions(+), 4 deletions(-)
---
diff --git a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
index 398ef25..a0a40f5 100644
--- a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+++ b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
@@ -1,4 +1,4 @@
-From b6195e176337fd7fe7669c80d14052364be91758 Mon Sep 17 00:00:00 2001
+From f4b2590206c9fd3f9c03a2340f5795b7c742688b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
Date: Fri, 6 Jan 2012 12:16:34 +0000
Subject: [PATCH] Ensure we don't access the net when building docs
@@ -7,8 +7,8 @@ Subject: [PATCH] Ensure we don't access the net when building docs
Change-Id: I9d02fb4053a8106672aded1614a2850e21603eb2
---
- doc/source/conf.py | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
+ doc/source/conf.py | 1 -
+ 1 file changed, 1 deletion(-)
diff --git a/doc/source/conf.py b/doc/source/conf.py
index 4fa13e0..85e2629 100644
diff --git a/0002-Check-QCOW2-image-size-during-root-disk-creation.patch b/0002-Check-QCOW2-image-size-during-root-disk-creation.patch
new file mode 100644
index 0000000..4f6cbf5
--- /dev/null
+++ b/0002-Check-QCOW2-image-size-during-root-disk-creation.patch
@@ -0,0 +1,93 @@
+From 53d1ca22e1001118789cddb87eda3fb6a61b0a49 Mon Sep 17 00:00:00 2001
+From: Chet Burgess <cfb at metacloud.com>
+Date: Thu, 9 May 2013 09:57:28 +0000
+Subject: [PATCH] Check QCOW2 image size during root disk creation
+
+glance can only tell us the size of the file, not the virtual
+size of the QCOW2. As such we need to check the virtual size of
+the image once its cached and ensure it's <= to the flavor's
+root disk size.
+
+Change-Id: I833467284126557eb598b8350a84e10c06292fa9
+Fixes: bug 1177830
+(cherry picked from commit 44a8aba1d5da87d54db48079103fdef946666d80)
+---
+ nova/tests/test_imagebackend.py | 21 +++++++++++++++++++++
+ nova/virt/libvirt/imagebackend.py | 8 ++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/nova/tests/test_imagebackend.py b/nova/tests/test_imagebackend.py
+index d571bbf..4ec36da 100644
+--- a/nova/tests/test_imagebackend.py
++++ b/nova/tests/test_imagebackend.py
+@@ -20,6 +20,7 @@ import os
+ import fixtures
+ from oslo.config import cfg
+
++from nova import exception
+ from nova.openstack.common import uuidutils
+ from nova import test
+ from nova.tests import fake_libvirt_utils
+@@ -253,9 +254,12 @@ class Qcow2TestCase(_ImageTestCase, test.TestCase):
+ fn = self.prepare_mocks()
+ fn(target=self.TEMPLATE_PATH)
+ self.mox.StubOutWithMock(os.path, 'exists')
++ self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
+ if self.OLD_STYLE_INSTANCE_PATH:
+ os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False)
+ os.path.exists(self.TEMPLATE_PATH).AndReturn(False)
++ imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
++ ).AndReturn(self.SIZE)
+ os.path.exists(self.PATH).AndReturn(False)
+ imagebackend.libvirt_utils.create_cow_image(self.TEMPLATE_PATH,
+ self.PATH)
+@@ -267,6 +271,23 @@ class Qcow2TestCase(_ImageTestCase, test.TestCase):
+
+ self.mox.VerifyAll()
+
++ def test_create_image_too_small(self):
++ fn = self.prepare_mocks()
++ fn(target=self.TEMPLATE_PATH)
++ self.mox.StubOutWithMock(os.path, 'exists')
++ self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
++ if self.OLD_STYLE_INSTANCE_PATH:
++ os.path.exists(self.OLD_STYLE_INSTANCE_PATH).AndReturn(False)
++ os.path.exists(self.TEMPLATE_PATH).AndReturn(False)
++ imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
++ ).AndReturn(self.SIZE)
++ self.mox.ReplayAll()
++
++ image = self.image_class(self.INSTANCE, self.NAME)
++ self.assertRaises(exception.ImageTooLarge, image.create_image, fn,
++ self.TEMPLATE_PATH, 1)
++ self.mox.VerifyAll()
++
+
+ class LvmTestCase(_ImageTestCase, test.TestCase):
+ VG = 'FakeVG'
+diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py
+index b6b1b88..2ca71cc 100755
+--- a/nova/virt/libvirt/imagebackend.py
++++ b/nova/virt/libvirt/imagebackend.py
+@@ -21,6 +21,7 @@ import os
+
+ from oslo.config import cfg
+
++from nova import exception
+ from nova.openstack.common import excutils
+ from nova.openstack.common import fileutils
+ from nova.openstack.common import lockutils
+@@ -255,6 +256,13 @@ class Qcow2(Image):
+
+ if not os.path.exists(base):
+ prepare_template(target=base, *args, **kwargs)
++ # NOTE(cfb): Having a flavor that sets the root size to 0 and having
++ # nova effectively ignore that size and use the size of the
++ # image is considered a feature at this time, not a bug.
++ if size and size < disk.get_disk_size(base):
++ LOG.error('%s virtual size larger than flavor root disk size %s' %
++ (base, size))
++ raise exception.ImageTooLarge()
+ if not os.path.exists(self.path):
+ with utils.remove_path_on_error(self.path):
+ copy_qcow2_image(base, self.path, size)
diff --git a/openstack-nova.spec b/openstack-nova.spec
index ebf2b37..94d4b34 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
Name: openstack-nova
Version: 2013.1.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
@@ -36,6 +36,7 @@ Source24: nova-sudoers
# patches_base=2013.1.1
#
Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+Patch0002: 0002-Check-QCOW2-image-size-during-root-disk-creation.patch
BuildArch: noarch
BuildRequires: intltool
@@ -359,6 +360,7 @@ This package contains documentation files for nova.
%setup -q -n nova-%{version}
%patch0001 -p1
+%patch0002 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -791,6 +793,9 @@ fi
%endif
%changelog
+* Mon Apr 08 2013 Nikola Đipanov <ndipanov at redhat.com> - 2013.1-2
+- Check QCOW2 image size during root disk creation (CVE-2013-2096)
+
* Mon May 13 2013 Pádraig Brady <pbrady at redhat.com> - 2013.1.1-1
- Update to stable/grizzly 2013.1.1 release
More information about the scm-commits
mailing list