cinder/releasenotes/notes/apply-limits-to-qemu-img-29f722a1bf4b91f8.yaml
Sean McGinnis 78f17f0ad7 Limit memory & CPU when running qemu-img info
It was found that a modified or corrupted image file can cause a DoS
on the host when getting image info with qemu-img.

This uses the newer 'prlimit' parameter for oslo.concurrency execute
to set an address space limit of 1GB and CPU time limit of 2 seconds
when running the qemu-img info command.

Change-Id: If5b7129b266ef065642bc7898ce9dcf93722a053
Closes-bug: #1449062
2016-09-22 15:31:37 -05:00

8 lines
289 B
YAML

---
security:
- The qemu-img tool now has resource limits applied
which prevent it from using more than 1GB of address
space or more than 2 seconds of CPU time. This provides
protection against denial of service attacks from
maliciously crafted or corrupted disk images.