[openstack-nova/el6] fix CVE-2013-2096: qcow2 virt image size check

Pádraig Brady pbrady at fedoraproject.org
Fri May 17 16:01:31 UTC 2013 

commit dc43fd3b8bf62d3d272b08a38b01f36f1bac267d
Author: Nikola Dipanov <ndipanov at redhat.com>
Date:   Fri May 17 16:48:26 2013 +0200

    fix CVE-2013-2096: qcow2 virt image size check

 ...e-don-t-access-the-net-when-building-docs.patch |    6 +-
 ...COW2-image-size-during-root-disk-creation.patch |  112 ++++++++++++++++++++
 openstack-nova.spec                                |    3 +
 3 files changed, 118 insertions(+), 3 deletions(-)
---
diff --git a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
index 0419764..7cb7bdc 100644
--- a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+++ b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
@@ -1,4 +1,4 @@
-From 9db567b5c6f77092528214ac2bae77d8b8e97465 Mon Sep 17 00:00:00 2001
+From 0bb5695eaa753bad5992df9502039db3621d219f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
 Date: Fri, 6 Jan 2012 12:16:34 +0000
 Subject: [PATCH] Ensure we don't access the net when building docs
@@ -7,8 +7,8 @@ Subject: [PATCH] Ensure we don't access the net when building docs
 
 Change-Id: I9d02fb4053a8106672aded1614a2850e21603eb2
 ---
- doc/source/conf.py |    1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
+ doc/source/conf.py | 1 -
+ 1 file changed, 1 deletion(-)
 
 diff --git a/doc/source/conf.py b/doc/source/conf.py
 index 7f77cc5..62b273e 100644
diff --git a/0002-Check-QCOW2-image-size-during-root-disk-creation.patch b/0002-Check-QCOW2-image-size-during-root-disk-creation.patch
new file mode 100644
index 0000000..ecd9fa5
--- /dev/null
+++ b/0002-Check-QCOW2-image-size-during-root-disk-creation.patch
@@ -0,0 +1,112 @@
+From 1a75a559851560145bcdf80e42cb305116cde7de Mon Sep 17 00:00:00 2001
+From: Chet Burgess <cfb at metacloud.com>
+Date: Thu, 9 May 2013 09:57:28 +0000
+Subject: [PATCH] Check QCOW2 image size during root disk creation
+
+glance can only tell us the size of the file, not the virtual
+size of the QCOW2. As such we need to check the virtual size of
+the image once its cached and ensure it's <= to the flavor's
+root disk size.
+
+Change-Id: I833467284126557eb598b8350a84e10c06292fa9
+Fixes: bug 1177830
+(cherry picked from commit 44a8aba1d5da87d54db48079103fdef946666d80)
+---
+ nova/tests/test_imagebackend.py   | 18 ++++++++++++++++++
+ nova/virt/libvirt/imagebackend.py | 12 ++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/nova/tests/test_imagebackend.py b/nova/tests/test_imagebackend.py
+index f0bb718..da14f20 100644
+--- a/nova/tests/test_imagebackend.py
++++ b/nova/tests/test_imagebackend.py
+@@ -17,6 +17,7 @@
+ 
+ import os
+ 
++from nova import exception
+ from nova import flags
+ from nova import test
+ from nova.tests import fake_libvirt_utils
+@@ -190,7 +191,10 @@ class Qcow2TestCase(_ImageTestCase):
+         fn = self.prepare_mocks()
+         fn(target=self.TEMPLATE_PATH)
+         self.mox.StubOutWithMock(os.path, 'exists')
++        self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
+         os.path.exists(self.QCOW2_BASE).AndReturn(False)
++        imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
++                                       ).AndReturn(self.SIZE)
+         imagebackend.libvirt_utils.copy_image(self.TEMPLATE_PATH,
+                                               self.QCOW2_BASE)
+         imagebackend.disk.extend(self.QCOW2_BASE, self.SIZE)
+@@ -203,11 +207,25 @@ class Qcow2TestCase(_ImageTestCase):
+ 
+         self.mox.VerifyAll()
+ 
++    def test_create_image_too_small(self):
++        self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
++        imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
++                                       ).AndReturn(self.SIZE)
++        self.mox.ReplayAll()
++
++        image = self.image_class(self.INSTANCE, self.NAME)
++        self.assertRaises(exception.ImageTooLarge, image.create_image, None,
++                          self.TEMPLATE_PATH, 1)
++        self.mox.VerifyAll()
++
+     def test_create_image_with_size_template_exists(self):
+         fn = self.prepare_mocks()
+         fn(target=self.TEMPLATE_PATH)
+         self.mox.StubOutWithMock(os.path, 'exists')
++        self.mox.StubOutWithMock(imagebackend.disk, 'get_disk_size')
+         os.path.exists(self.QCOW2_BASE).AndReturn(True)
++        imagebackend.disk.get_disk_size(self.TEMPLATE_PATH
++                                       ).AndReturn(self.SIZE)
+         imagebackend.libvirt_utils.create_cow_image(self.QCOW2_BASE,
+                                                     self.PATH)
+         self.mox.ReplayAll()
+diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py
+index 0f2f044..5e7023e 100644
+--- a/nova/virt/libvirt/imagebackend.py
++++ b/nova/virt/libvirt/imagebackend.py
+@@ -19,14 +19,17 @@ import abc
+ import contextlib
+ import os
+ 
++from nova import exception
+ from nova import flags
+ from nova.openstack.common import cfg
+ from nova.openstack.common import excutils
++from nova.openstack.common import log as logging
+ from nova import utils
+ from nova.virt.disk import api as disk
+ from nova.virt.libvirt import config
+ from nova.virt.libvirt import utils as libvirt_utils
+ 
++
+ __imagebackend_opts = [
+     cfg.StrOpt('libvirt_images_type',
+             default='default',
+@@ -46,6 +49,8 @@ __imagebackend_opts = [
+ FLAGS = flags.FLAGS
+ FLAGS.register_opts(__imagebackend_opts)
+ 
++LOG = logging.getLogger(__name__)
++
+ 
+ class Image(object):
+     __metaclass__ = abc.ABCMeta
+@@ -170,6 +175,13 @@ class Qcow2(Image):
+                         disk.extend(qcow2_base, size)
+             libvirt_utils.create_cow_image(qcow2_base, target)
+ 
++        # NOTE(cfb): Having a flavor that sets the root size to 0 and having
++        #            nova effectively ignore that size and use the size of the
++        #            image is considered a feature at this time, not a bug.
++        if size and size < disk.get_disk_size(base):
++            LOG.error('%s virtual size larger than flavor root disk size %s' %
++                      (base, size))
++            raise exception.ImageTooLarge()
+         prepare_template(target=base, *args, **kwargs)
+         with utils.remove_path_on_error(self.path):
+             copy_qcow2_image(base, self.path, size)
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 88cba9b..74b549f 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -44,6 +44,7 @@ Source22:         nova-ifc-template
 # patches_base=2012.2.4
 #
 Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+Patch0002: 0002-Check-QCOW2-image-size-during-root-disk-creation.patch
 
 # This is EPEL specific and not upstream
 Patch100:         openstack-nova-newdeps.patch
@@ -362,6 +363,7 @@ This package contains documentation files for nova.
 %setup -q -n nova-%{version}
 
 %patch0001 -p1
+%patch0002 -p1
 
 # Apply EPEL patch
 %patch100 -p1
@@ -757,6 +759,7 @@ fi
 %changelog
 * Fri May 17 2013 Nikola Đipanov <ndipanov at redhat.com> - 2012.2.4-1
 - Update to latest stable Folsom 2012.2.4
+- Check QCOW2 image size during root disk creation (CVE-2013-2096)
 
 * Mon Feb 04 2013 Pádraig Brady <pbrady at redhat.com> - 2012.2.3-1
 - Update to folsom stable release 3

More information about the scm-commits mailing list