[Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Jeremy Stanley fungi at yuggoth.org
Thu Sep 22 19:11:52 UTC 2016 

I'm resurrecting Grant's proposed impact description from comment #28
and updating for the year of time which has passed since. I've also
edited it to remove references to Cinder and Glance... are those
effectively still impacted in any supported branches? I see that the
tasks API in Glance becoming admin-only in Mitaka results in this being
impractical there, but what about for Liberty? And there's little input
from Cinder on this bug at all but the claim is that it's exploitable
there as well. Is that still the case today?

--

Title: Malicious input to qemu-img may result in resource exhaustion
Reporter: Richard W.M. Jones
Product: Nova
Affects: <=12.0.4, ==13.0.0

Description:
Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack
Nova. By providing a maliciously crafted disk image an attacker can consume
considerable amounts of RAM and CPU time resulting in a denial of service via
resource exhaustion. Any project which makes calls to qemu-img without
appropriate ulimit restrictions in place is affected by this flaw.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1449062

Title:
  qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive liberty series:
  Fix Committed
Status in Ubuntu Cloud Archive mitaka series:
  Fix Committed
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  In Progress
Status in python-oslo.concurrency package in Ubuntu:
  Fix Released
Status in python-oslo.concurrency source package in Wily:
  Fix Committed
Status in python-oslo.concurrency source package in Xenial:
  Fix Released
Status in python-oslo.concurrency source package in Yakkety:
  Fix Released

Bug description:
  Reported via private E-mail from Richard W.M. Jones.

  Turns out qemu image parser is not hardened against malicious input
  and can be abused to allocated an arbitrary amount of memory and/or
  dump a lot of information when used with "--output=json".

  The solution seems to be: limit qemu-img ressource using ulimit.

  Example of abuse:

  -- afl1.img --

  $ /usr/bin/time qemu-img info afl1.img
  image: afl1.img
  [...]
  0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
  0inputs+0outputs (0major+156927minor)pagefaults 0swaps

  The original image is 516 bytes, but it causes qemu-img to allocate
  640 MB.

  -- afl2.img --

  $ qemu-img info --output=json afl2.img | wc -l
  589843

  This is a 200K image which causes qemu-img info to output half a
  million lines of JSON (14 MB of JSON).

  Glance runs the --output=json variant of the command.

  -- afl3.img --

  $ /usr/bin/time qemu-img info afl3.img
  image: afl3.img
  [...]
  0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
  0inputs+0outputs (0major+311994minor)pagefaults 0swaps

  qemu-img allocates 1.3 GB (actually, a bit more if you play with
  ulimit -v).  It appears that you could change it to allocate
  arbitrarily large amounts of RAM.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1449062/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list