Browse Source

Limit memory & CPU when running qemu-img info

It was found that a modified or corrupted image file can cause a DoS
on the host when getting image info with qemu-img.

This uses the newer 'prlimit' parameter for oslo.concurrency execute
to set an address space limit of 1GB and CPU time limit of 2 seconds
when running the qemu-img info command.

Change-Id: If5b7129b266ef065642bc7898ce9dcf93722a053
Closes-bug: #1449062
changes/99/375099/1
Sean McGinnis 5 years ago
parent
commit
78f17f0ad7
3 changed files with 18 additions and 4 deletions
  1. +5
    -1
      cinder/image/image_utils.py
  2. +6
    -3
      cinder/tests/unit/test_image_utils.py
  3. +7
    -0
      releasenotes/notes/apply-limits-to-qemu-img-29f722a1bf4b91f8.yaml

+ 5
- 1
cinder/image/image_utils.py View File

@ -54,6 +54,9 @@ image_helper_opts = [cfg.StrOpt('image_conversion_dir',
CONF = cfg.CONF
CONF.register_opts(image_helper_opts)
QEMU_IMG_LIMITS = processutils.ProcessLimits(
cpu_time=2,
address_space=1 * units.Gi)
# NOTE(abhishekk): qemu-img convert command supports raw, qcow2, qed,
# vdi, vmdk, vhd and vhdx disk-formats but glance doesn't support qed
@ -71,7 +74,8 @@ def qemu_img_info(path, run_as_root=True):
cmd = ('env', 'LC_ALL=C', 'qemu-img', 'info', path)
if os.name == 'nt':
cmd = cmd[2:]
out, _err = utils.execute(*cmd, run_as_root=run_as_root)
out, _err = utils.execute(*cmd, run_as_root=run_as_root,
prlimit=QEMU_IMG_LIMITS)
return imageutils.QemuImgInfo(out)


+ 6
- 3
cinder/tests/unit/test_image_utils.py View File

@ -39,7 +39,8 @@ class TestQemuImgInfo(test.TestCase):
output = image_utils.qemu_img_info(test_path)
mock_exec.assert_called_once_with('env', 'LC_ALL=C', 'qemu-img',
'info', test_path, run_as_root=True)
'info', test_path, run_as_root=True,
prlimit=image_utils.QEMU_IMG_LIMITS)
self.assertEqual(mock_info.return_value, output)
@mock.patch('oslo_utils.imageutils.QemuImgInfo')
@ -52,7 +53,8 @@ class TestQemuImgInfo(test.TestCase):
output = image_utils.qemu_img_info(test_path, run_as_root=False)
mock_exec.assert_called_once_with('env', 'LC_ALL=C', 'qemu-img',
'info', test_path, run_as_root=False)
'info', test_path, run_as_root=False,
prlimit=image_utils.QEMU_IMG_LIMITS)
self.assertEqual(mock_info.return_value, output)
@mock.patch('cinder.image.image_utils.os')
@ -67,7 +69,8 @@ class TestQemuImgInfo(test.TestCase):
output = image_utils.qemu_img_info(test_path)
mock_exec.assert_called_once_with('qemu-img', 'info', test_path,
run_as_root=True)
run_as_root=True,
prlimit=image_utils.QEMU_IMG_LIMITS)
self.assertEqual(mock_info.return_value, output)
@mock.patch('cinder.utils.execute')


+ 7
- 0
releasenotes/notes/apply-limits-to-qemu-img-29f722a1bf4b91f8.yaml View File

@ -0,0 +1,7 @@
---
security:
- The qemu-img tool now has resource limits applied
which prevent it from using more than 1GB of address
space or more than 2 seconds of CPU time. This provides
protection against denial of service attacks from
maliciously crafted or corrupted disk images.

Loading…
Cancel
Save