Glance

Limit CaptureRegion sizes in format_inspector for VMDK and VHDX

Series yoga
Bug #2006490

Bug #2006490 reported by Abhishek Kekane on 2023-02-07

This bug affects 1 person

	Status	Importance	Assigned to
Glance	Status tracked in Zed
Xena	New	Undecided	Unassigned
Yoga	In Progress	Undecided	Unassigned
Zed	Fix Committed	Undecided	Unassigned

Bug Description

VMDK:
When parsing a VMDK file to calculate its size, the format_inspector
determines the location of the Descriptor section by reading two
uint64 from the headers of the file and uses them to create the
descriptor CaptureRegion.

It would be possible to craft a VMDK file that commands the
format_inspector to create a very big CaptureRegion, thus exhausting
resources on the glance-api process.

VHDX:
It is a bit more involved, but similar: when looking for the
VIRTUAL_DISK_SIZE metadata, the format_inspector was creating an
unbounded CaptureRegion.

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2023-02-07:

Fixed in master with, https://review.opendev.org/c/openstack/glance/+/871831

Changed in glance:
status:	New → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-02-07: Fix proposed to glance (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/glance/+/872990

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-10: Fix merged to glance (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/glance/+/872990
Committed: https://opendev.org/openstack/glance/commit/06a18202ab52c64803f044b8f848ed1c160905d2
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 06a18202ab52c64803f044b8f848ed1c160905d2
Author: Guillaume Espanel <email address hidden>
Date: Wed Jan 25 11:53:09 2023 +0100

Limit CaptureRegion sizes in format_inspector for VMDK and VHDX

    VMDK:
    When parsing a VMDK file to calculate its size, the format_inspector
    determines the location of the Descriptor section by reading two
    uint64 from the headers of the file and uses them to create the
    descriptor CaptureRegion.

    It would be possible to craft a VMDK file that commands the
    format_inspector to create a very big CaptureRegion, thus exhausting
    resources on the glance-api process.

    This patch binds the beginning of the descriptor to 0x200 and limits
    the size of the CaptureRegion to 1MB, similar to how the VMDK
    descriptor is parsed by qemu.

    VHDX:
    It is a bit more involved, but similar: when looking for the
    VIRTUAL_DISK_SIZE metadata, the format_inspector was creating an
    unbounded CaptureRegion.

In the same way as it seems to be done in Qemu, we now limit the upper
bound of this CaptureRegion.

    Closes-Bug: #2006490
    Change-Id: I3ec5a33df20e1cfb6673f4ff1c7c91aacd065532
    (cherry picked from commit d4d33ee30f303f783c0640cd72acb31b313e1164)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-14: Fix proposed to glance (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/glance/+/877266

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.