qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Bug #1597254 reported by Roman Podoliaka
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Fuel Sustaining
Won't Fix
MOS Maintenance
Fix Released
Fuel Sustaining

Bug Description

Upstream bug: https://bugs.launchpad.net/ossa/+bug/1449062

Reported via private E-mail from Richard W.M. Jones.

Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json".

The solution seems to be: limit qemu-img ressource using ulimit.

Example of abuse:

-- afl1.img --

$ /usr/bin/time qemu-img info afl1.img
image: afl1.img
0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
0inputs+0outputs (0major+156927minor)pagefaults 0swaps

The original image is 516 bytes, but it causes qemu-img to allocate 640 MB.

-- afl2.img --

$ qemu-img info --output=json afl2.img | wc -l

This is a 200K image which causes qemu-img info to output half a
million lines of JSON (14 MB of JSON).

Glance runs the --output=json variant of the command.

-- afl3.img --

$ /usr/bin/time qemu-img info afl3.img
image: afl3.img
0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
0inputs+0outputs (0major+311994minor)pagefaults 0swaps

qemu-img allocates 1.3 GB (actually, a bit more if you play with
ulimit -v). It appears that you could change it to allocate
arbitrarily large amounts of RAM.

CVE References

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

Setting the importance according to the upstream bug.

Changed in mos:
milestone: none → 9.1
tags: added: area-nova
tags: added: feature-security
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Closing as Won't Fix for 8.0 as this is a medium importance non-customer-found bug.

Revision history for this message
Alexey Shtokolov (ashtokolov) wrote :
tags: added: hard-to-verify
tags: added: on-verification
Revision history for this message
Dmitry Belyaninov (dbelyaninov) wrote :

Verified on snapshot #430
It is impossible to boot instance from malicious qemu-img

tags: removed: on-verification
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.