78f17f0ad7
It was found that a modified or corrupted image file can cause a DoS on the host when getting image info with qemu-img. This uses the newer 'prlimit' parameter for oslo.concurrency execute to set an address space limit of 1GB and CPU time limit of 2 seconds when running the qemu-img info command. Change-Id: If5b7129b266ef065642bc7898ce9dcf93722a053 Closes-bug: #1449062
8 lines
289 B
YAML
8 lines
289 B
YAML
---
|
|
security:
|
|
- The qemu-img tool now has resource limits applied
|
|
which prevent it from using more than 1GB of address
|
|
space or more than 2 seconds of CPU time. This provides
|
|
protection against denial of service attacks from
|
|
maliciously crafted or corrupted disk images.
|