Bugzilla – Bug 949068
VUL-0: CVE-2015-5162: openstack-nova,openstack-glance,openstack-cinder: Malicious image causes OOM on the compute host
Last modified: 2018-04-26 14:38:01 UTC
https://bugs.launchpad.net/ossa/+bug/1449062 qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". Reproducers: > $ /usr/bin/time qemu-img info afl1.img > image: afl1.img > [...] > 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k > 0inputs+0outputs (0major+156927minor)pagefaults 0swaps > > The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. > -- afl2.img -- > > $ qemu-img info --output=json afl2.img | wc -l > 589843 > > This is a 200K image which causes qemu-img info to output half a > million lines of JSON (14 MB of JSON). > > Glance runs the --output=json variant of the command. > > -- afl3.img -- > > $ /usr/bin/time qemu-img info afl3.img > image: afl3.img > [...] > 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k > 0inputs+0outputs (0major+311994minor)pagefaults 0swaps > > qemu-img allocates 1.3 GB (actually, a bit more if you play with > ulimit -v). It appears that you could change it to allocate > arbitrarily large amounts of RAM. nova, cinder. > Nova: versions through 2014.2.3, 2015.1 versions through 2015.1.1 > Cinder: versions through 2014.2.3, 2015.1 versions through 2015.1.1 > Glance: 2015.1 versions through 2015.1.1 We are good with glance as I can see. References: https://bugs.launchpad.net/ossa/+bug/1449062 https://bugzilla.redhat.com/show_bug.cgi?id=1268303 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5162
Created attachment 650362 [details] afl1.img Reproducer 1 from upstream bug
Created attachment 650363 [details] afl2.img Reproducer 2 from upstream bug
Created attachment 650364 [details] afl3.img Reproducer 3 from upstream bug. Apparently found by fuzzer afl.
bugbot adjusting priority
We currently have a running update for openstack-nova for the SLE12-compute node which is not in QA yet. Can we already merge the fix to the running update?
(In reply to Benjamin Brunner from comment #5) > We currently have a running update for openstack-nova for the SLE12-compute > node which is not in QA yet. Can we already merge the fix to the running > update? Yes. Please include the following (started update) Security: bnc#934768, bnc#949068, bnc#960601 L3: bnc#945453
There was a fix in https://review.openstack.org/#/c/209627/ but it got reverted quickly via https://review.openstack.org/#/c/234696/ because of nova segfaults
fixed in current cloud offerings