[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Changed in: glance Status: Fix Released => Fix Committed ** Changed in: glance/newton Importance: Undecided => Critical ** Changed in: glance/newton Assignee: (unassigned) => Hemanth Makkapati (hemanth-makkapati) ** Changed in: glance/newton Milestone: None => newton-rc2 ** Changed in: glance/mitaka Importance: Undecided => High ** Changed in: glance/mitaka Status: New => Fix Committed ** Changed in: glance/mitaka Assignee: (unassigned) => Hemanth Makkapati (hemanth-makkapati) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: Fix Released Status in Cinder mitaka series: Fix Committed Status in Cinder newton series: Fix Released Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: Fix Committed Status in Glance liberty series: New Status in Glance mitaka series: Fix Committed Status in Glance newton series: Fix Committed Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Reviewed: https://review.openstack.org/375526 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f Submitter: Jenkins Branch:master commit 69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f Author: Hemanth MakkapatiDate: Fri Sep 23 09:29:12 2016 -0500 Adding constraints around qemu-img calls * All "qemu-img info" calls are now run under resource limitations that limit CPU time to 2 seconds and address space usage to 1 GB. This helps avoid any DoS attacks via malicious images. * All "qemu-img convert" calls now specify the import format so that it does not have to be inferred by qemu-img. SecurityImpact Change-Id: Ib900bbc05cb9ccd90c6f56ccb4bf2006e30cdc80 Closes-Bug: #1449062 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: Fix Released Status in Cinder mitaka series: In Progress Status in Cinder newton series: Fix Released Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: Fix Released Status in Glance liberty series: New Status in Glance mitaka series: New Status in Glance newton series: Fix Committed Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Reviewed: https://review.openstack.org/375099 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=78f17f0ad79380ee3d9c50f2670252bcc559b62b Submitter: Jenkins Branch:master commit 78f17f0ad79380ee3d9c50f2670252bcc559b62b Author: Sean McGinnisDate: Thu Sep 22 15:31:37 2016 -0500 Limit memory & CPU when running qemu-img info It was found that a modified or corrupted image file can cause a DoS on the host when getting image info with qemu-img. This uses the newer 'prlimit' parameter for oslo.concurrency execute to set an address space limit of 1GB and CPU time limit of 2 seconds when running the qemu-img info command. Change-Id: If5b7129b266ef065642bc7898ce9dcf93722a053 Closes-bug: #1449062 ** Changed in: cinder Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: Fix Released Status in Cinder mitaka series: New Status in Cinder newton series: Fix Released Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: New Status in Glance liberty series: New Status in Glance mitaka series: New Status in Glance newton series: New Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Thank you for that info Jeremy, I've targetted it to the appropriate series in Glance so it's clear. ** Also affects: glance/mitaka Importance: Undecided Status: New ** Also affects: glance/liberty Importance: Undecided Status: New ** Also affects: glance/newton Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: In Progress Status in Cinder mitaka series: New Status in Cinder newton series: In Progress Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: New Status in Glance liberty series: New Status in Glance mitaka series: New Status in Glance newton series: New Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Also affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: In Progress Status in Cinder mitaka series: New Status in Cinder newton series: In Progress Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: New Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Also affects: cinder/mitaka Importance: Undecided Status: New ** Also affects: cinder/newton Importance: Medium Assignee: Sean McGinnis (sean-mcginnis) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: In Progress Status in Cinder mitaka series: New Status in Cinder newton series: In Progress Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Also affects: cinder Importance: Undecided Status: New ** Changed in: cinder Importance: Undecided => Medium ** Changed in: cinder Assignee: (unassigned) => Sean McGinnis (sean-mcginnis) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: New Status in Cinder mitaka series: New Status in Cinder newton series: New Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Also affects: cloud-archive Importance: Undecided Status: New ** Changed in: cloud-archive Status: New => Fix Released ** Changed in: cloud-archive Importance: Undecided => Medium ** Also affects: cloud-archive/liberty Importance: Undecided Status: New ** Also affects: cloud-archive/newton Importance: Medium Status: Fix Released ** Also affects: cloud-archive/mitaka Importance: Undecided Status: New ** Changed in: cloud-archive/liberty Importance: Undecided => Medium ** Changed in: cloud-archive/mitaka Importance: Undecided => Medium ** Changed in: cloud-archive/mitaka Status: New => Fix Committed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: New Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Confirmed Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Project changed: cinder => ubuntu-translations ** No longer affects: ubuntu-translations ** Project changed: glance => ubuntu-translations ** Changed in: ubuntu-translations Milestone: ongoing => None ** No longer affects: ubuntu-translations -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Confirmed Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Also affects: python-oslo.concurrency (Ubuntu Wily) Importance: Undecided Status: New ** Changed in: python-oslo.concurrency (Ubuntu Wily) Importance: Undecided => Medium -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: New Status in Glance: In Progress Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Confirmed Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: New Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
This bug was fixed in the package python-oslo.concurrency - 3.7.1-0ubuntu1 --- python-oslo.concurrency (3.7.1-0ubuntu1) xenial; urgency=medium * New upstream point release (LP: #1449062). -- Corey BryantMon, 13 Jun 2016 12:34:15 -0400 ** Changed in: python-oslo.concurrency (Ubuntu Xenial) Status: Fix Committed => Fix Released ** Changed in: python-oslo.concurrency (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: New Status in Glance: In Progress Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Confirmed Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Also affects: python-oslo.concurrency (Ubuntu) Importance: Undecided Status: New ** Also affects: python-oslo.concurrency (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: python-oslo.concurrency (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: python-oslo.concurrency (Ubuntu Yakkety) Status: New => Fix Released ** Changed in: python-oslo.concurrency (Ubuntu Xenial) Status: New => Triaged ** Changed in: python-oslo.concurrency (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: python-oslo.concurrency (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: python-oslo.concurrency (Ubuntu Xenial) Assignee: (unassigned) => Corey Bryant (corey.bryant) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: New Status in Glance: In Progress Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Confirmed Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Xenial: Triaged Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Reviewed: https://review.openstack.org/307663 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=068d851561addfefb2b812d91dc2011077cb6e1d Submitter: Jenkins Branch:master commit 068d851561addfefb2b812d91dc2011077cb6e1d Author: Daniel P. BerrangeDate: Mon Apr 18 16:32:19 2016 + virt: set address space & CPU time limits when running qemu-img This uses the new 'prlimit' parameter for oslo.concurrency execute method, to set an address space limit of 1GB and CPU time limit of 2 seconds, when running qemu-img. This is a re-implementation of the previously reverted commit commit da217205f53f9a38a573fb151898fbbeae41021d Author: Tristan Cacqueray Date: Wed Aug 5 17:17:04 2015 + virt: Use preexec_fn to ulimit qemu-img info call Closes-Bug: #1449062 Change-Id: I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: New Status in Glance: In Progress Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Confirmed Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Changed in: nova Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: New Status in Glance: In Progress Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Confirmed Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
The proposed change did not effectively fixed that issue. ** Changed in: nova Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: New Status in Glance: In Progress Status in OpenStack Compute (nova): Confirmed Status in OpenStack Security Advisory: Confirmed Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp