Permalink
Browse files

disallow boot from volume from specifying arbitrary volumes

Fix a vulnerability in volume attachment in nova-volume, affecting the
boot-from-volume feature.  By passing a specific volume ID, an
authenticated user may be able to boot from a volume they don't own,
potentially resulting in full access to that 3rd-party volume.
Folsom setups making use of Cinder are not affected.

Fixes bug: 1069904, CVE-2013-0208
Change-Id: I5f7c8d20d3ebf33ce1ce64bf0a8418bd2b5a6411
  • Loading branch information...
1 parent 747fb95 commit 317cc0af385536dee43ef2addad50a91357fc1ad @vishvananda vishvananda committed with Pádraig Brady Jan 24, 2013
Showing with 36 additions and 5 deletions.
  1. +22 −5 nova/compute/api.py
  2. +14 −0 nova/exception.py
View
@@ -507,6 +507,11 @@ def _create_instance(self, context, instance_type,
security_group, block_device_mapping)
instances.append(instance)
instance_uuids.append(instance['uuid'])
+ self._validate_bdm(context, instance)
+ # send a state update notification for the initial create to
+ # show it going from non-existent to BUILDING
+ notifications.send_update_with_states(context, instance, None,
+ vm_states.BUILDING, None, None, service="api")
# In the case of any exceptions, attempt DB cleanup and rollback the
# quota reservations.
@@ -623,6 +628,23 @@ def _update_block_device_mapping(self, elevated_context,
self.db.block_device_mapping_update_or_create(elevated_context,
values)
+ def _validate_bdm(self, context, instance):
+ for bdm in self.db.block_device_mapping_get_all_by_instance(
+ context, instance['uuid']):
+ # NOTE(vish): For now, just make sure the volumes are accessible.
+ snapshot_id = bdm.get('snapshot_id')
+ volume_id = bdm.get('volume_id')
+ if volume_id is not None:
+ try:
+ self.volume_api.get(context, volume_id)
+ except Exception:
+ raise exception.InvalidBDMVolume(id=volume_id)
+ elif snapshot_id is not None:
+ try:
+ self.volume_api.get_snapshot(context, snapshot_id)
+ except Exception:
+ raise exception.InvalidBDMSnapshot(id=snapshot_id)
+
def _populate_instance_for_bdm(self, context, instance, instance_type,
image, block_device_mapping):
"""Populate instance block device mapping information."""
@@ -735,11 +757,6 @@ def create_db_entry_for_new_instance(self, context, instance_type, image,
self._populate_instance_for_bdm(context, instance,
instance_type, image, block_device_mapping)
- # send a state update notification for the initial create to
- # show it going from non-existent to BUILDING
- notifications.send_update_with_states(context, instance, None,
- vm_states.BUILDING, None, None, service="api")
-
return instance
def _check_create_policies(self, context, availability_zone,
View
@@ -223,6 +223,20 @@ class InvalidSnapshot(Invalid):
message = _("Invalid snapshot") + ": %(reason)s"
+class InvalidBDM(Invalid):
+ message = _("Block Device Mapping is Invalid.")
+
+
+class InvalidBDMSnapshot(InvalidBDM):
+ message = _("Block Device Mapping is Invalid: "
+ "failed to get snapshot %(id)s.")
+
+
+class InvalidBDMVolume(InvalidBDM):
+ message = _("Block Device Mapping is Invalid: "
+ "failed to get volume %(id)s.")
+
+
class VolumeUnattached(Invalid):
message = _("Volume %(volume_id)s is not attached to anything")

0 comments on commit 317cc0a

Please sign in to comment.