yoga: Backport fixes for CVE-2024-32498 #83
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
markgoddard
commented
Jul 9, 2024
markgoddard
commented
- Reject qcow files with data-file attributes
- Check images with format_inspector for safety
- Additional qemu safety checking on base images
- Fix vmdk_allowed_types checking
- Fix up merge conflicts in unit tests
Change-Id: Ic3fa16f55acc38cf6c1a4ac1dce4487225e66d04 Closes-Bug: #2059809 (cherry picked from commit 37c587268526e16d3d0d6d6e802a33cc10548c60) (cherry picked from commit 888311f0083f864de0cb7efd30195a7c4d5060c0) (cherry picked from commit e53ca8e0c558214eab2a54172bcf161cd786e8ae)
It has been asserted that we should not be calling qemu-img info on untrusted files. That means we need to know if they have a backing_file, data_file or other unsafe configuration *before* we use qemu-img to probe or convert them. This grafts glance's format_inspector module into nova/images so we can use it to check the file early for safety. The expectation is that this will be moved to oslo.utils (or something) later and thus we will just delete the file from nova and change our import when that happens. NOTE: This includes whitespace changes from the glance version of format_inspector.py because of autopep8 demands. Change-Id: Iaefbe41b4c4bf0cf95d8f621653fdf65062aaa59 Closes-Bug: #2059809 (cherry picked from commit 966cd5a1f3119d47eeb985eea2385bd12148c320) (cherry picked from commit 4d5824f03310cbc2aa32fa8e4b27a98a9b7d9a81) (cherry picked from commit 210ad1f04c2f20374b323e64b9ef62d1eff5cc36)
There is an additional way we can be fooled into using a qcow2 file with a data-file, which is uploading it as raw to glance and then booting an instance from it. Because when we go to create the ephemeral disk from a cached base image, we've lost the information about the original source's format, we probe the image's file type without a strict format specified. If a qcow2 file is listed in glance as a raw, we won't notice it until it is too late. This brings over another piece of code (proposed against) glance's format inspector which provides a safe format detection routine. This patch uses that to detect the format of and run a safety check on the base image each time we go to use it to create an ephemeral disk image from it. This also detects QED files and always marks them as unsafe as we do not support that format at all. Since we could be fooled into downloading one and passing it to qemu-img if we don't recognize it, we need to detect and reject it as unsafe. Change-Id: I4881c8cbceb30c1ff2d2b859c554e0d02043f1f5 (cherry picked from commit 5d85ffded64b194a447b63042f78960b82c544f7) (cherry picked from commit a343ed60a3d813b4c8da42cf70a7c1cfd92e6bec) (cherry picked from commit 5d18a6478dfebebeaaddd8ba54ae0e203948d9b4)
Related-Bug: #2059809
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.