Cinder

Bug #1784871
Comment #13

Comment 13 for bug 1784871

Revision history for this message

Jay Bryant (jsbryant) wrote on 2018-08-17: Re: [Bug 1784871] Re: ScaleIO (thin) volumes contain previous data (follow-up to 1699573)

#13

Jeremy,

I will backport today and propose rc2.

Jay

On Fri, Aug 17, 2018, 4:01 PM Jeremy Stanley <email address hidden> wrote:

> Are there stable backports in the works yet for
> https://review.openstack.org/592001 or will fixing there require a
> different approach?
>
> --
> You received this bug notification because you are a member of Cinder
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1784871
>
> Title:
> ScaleIO (thin) volumes contain previous data (follow-up to 1699573)
>
> Status in Cinder:
> Fix Released
> Status in OpenStack Security Advisory:
> Confirmed
>
> Bug description:
> Bug 1699573 described an issue in the ScaleIO Cinder driver where new
> volumes can contain data from previously deleted volumes. [1]
>
> We specifically document [2] that this is a security hazard for
> Cinder, because it means that end-user data can leak between tenants.
>
> The previous bug discussion and fix indicated that this only affects
> thick-provisioned volumes from ScaleIO. Further investigation
> indicates that it also affects thin-provisioned volumes, so the fix
> was not complete.
>
> It appears that we can fix this issue completely by extending the
> previous fix to not consider thin-provisioned volumes safe, and apply
> the same logic to thin volumes that we use for thick volumes. This
> would force ScaleIO zero padding to be enabled in all cases.
>
> I also think this bug merits a Class A rating per the VMT process. [3]
> I don't see a reason we can't backport the fix to stable releases.
>
> The text of OSSN-0084 [4] makes this more confusing -- the description
> described this issue as affecting thin volumes, when the fix only
> affected thick volumes. The Recommended Actions are also incorrect --
> enabling zero padding probably* fixes this issue, but swapping to thin
> volumes is not relevant.
>
> * (I don't have access to a ScaleIO backend to investigate this
> directly. I'm relying on some brief discussion with ScaleIO
> maintainers and customer reports.)
>
> [1] https://bugs.launchpad.net/cinder/+bug/1699573
> [2]
> https://git.openstack.org/cgit/openstack/cinder/tree/doc/source/contributor/drivers.rst?h=13.0.0.0b2#n58
> [3]
> https://security.openstack.org/vmt-process.html#incident-report-taxonomy
> [4]
> http://lists.openstack.org/pipermail/openstack-dev/2018-July/132096.html
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1784871/+subscriptions
>

Jeremy,

I will backport today and propose rc2.

Jay

On Fri, Aug 17, 2018, 4:01 PM Jeremy Stanley <fungi@yuggoth.org> wrote:

> Are there stable backports in the works yet for
> https://review.openstack.org/592001 or will fixing there require a
> different approach?
>
> --
> You received this bug notification because you are a member of Cinder
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1784871
>
> Title:
>   ScaleIO (thin) volumes contain previous data (follow-up to 1699573)
>
> Status in Cinder:
>   Fix Released
> Status in OpenStack Security Advisory:
>   Confirmed
>
> Bug description:
>   Bug 1699573 described an issue in the ScaleIO Cinder driver where new
>   volumes can contain data from previously deleted volumes.  [1]
>
>   We specifically document [2] that this is a security hazard for
>   Cinder, because it means that end-user data can leak between tenants.
>
>   The previous bug discussion and fix indicated that this only affects
>   thick-provisioned volumes from ScaleIO.  Further investigation
>   indicates that it also affects thin-provisioned volumes, so the fix
>   was not complete.
>
>   It appears that we can fix this issue completely by extending the
>   previous fix to not consider thin-provisioned volumes safe, and apply
>   the same logic to thin volumes that we use for thick volumes.  This
>   would force ScaleIO zero padding to be enabled in all cases.
>
>   I also think this bug merits a Class A rating per the VMT process. [3]
>   I don't see a reason we can't backport the fix to stable releases.
>
>   The text of OSSN-0084 [4] makes this more confusing -- the description
>   described this issue as affecting thin volumes, when the fix only
>   affected thick volumes.  The Recommended Actions are also incorrect --
>   enabling zero padding probably* fixes this issue, but swapping to thin
>   volumes is not relevant.
>
>   * (I don't have access to a ScaleIO backend to investigate this
>   directly.  I'm relying on some brief discussion with ScaleIO
>   maintainers and customer reports.)
>
>   [1] https://bugs.launchpad.net/cinder/+bug/1699573
>   [2]
> https://git.openstack.org/cgit/openstack/cinder/tree/doc/source/contributor/drivers.rst?h=13.0.0.0b2#n58
>   [3]
> https://security.openstack.org/vmt-process.html#incident-report-taxonomy
>   [4]
> http://lists.openstack.org/pipermail/openstack-dev/2018-July/132096.html
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1784871/+subscriptions
>