From cce7faf49aeb3b53433b9b7bcc48ca2e7dbaee64 Mon Sep 17 00:00:00 2001
From: Brett Holman <brett.holman@canonical.com>
Date: Thu, 22 Aug 2024 16:54:53 -0600
Subject: [PATCH 1/2] fix: Don't attempt to identify non-x86 OpenStack
 instances

RH-Author: Ani Sinha <anisinha@redhat.com>
RH-MergeRequest: 129: CVE-2024-6174:  fix: Don't attempt to identify non-x86 OpenStack instances
RH-Jira: RHEL-100615
RH-Acked-by: xiachen <xiachen@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [1/2] 71a7a1b189d33ff43dc439ecf73c996a9cca3494 (anisinha/cloud-init)

This causes cloud-init to attempt to reach out to the OpenStack Nova
datasource in non-Nova deployments on non-x86 architectures.

Change default policy of ds-identify to disallow discovery of datasources
without strict identifiable artifacts in either kernel cmdline, DMI
platform information or system configuration files. This prevents
cloud-init from attempting to reach out to well-known hard-codded link-local
IP addresses for configuration information unless the platform strictly
identifies as a specific datasource.

CVE-2024-6174
LP: #2069607
BREAKING_CHANGE: This may break non-x86 OpenStack Nova users. Affected users
    may wish to use ConfigDrive as a workaround.

(cherry picked from commit 8c3ae1bb9f1d80fbf217b41a222ee434e7f58900)
Signed-off-by: Ani Sinha <anisinha@redhat.com>
---
 doc/rtd/reference/breaking_changes.rst | 49 ++++++++++++++++++++++++++
 tests/unittests/test_ds_identify.py    | 13 ++++---
 tools/ds-identify                      |  8 ++---
 3 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/doc/rtd/reference/breaking_changes.rst b/doc/rtd/reference/breaking_changes.rst
index ce54e1c95..cd425a304 100644
--- a/doc/rtd/reference/breaking_changes.rst
+++ b/doc/rtd/reference/breaking_changes.rst
@@ -11,6 +11,54 @@ releases.
     many operating system vendors patch out breaking changes in
     cloud-init to ensure consistent behavior on their platform.
 
+25.1.3
+======
+
+Strict datasource identity before network
+-----------------------------------------
+Affects detection of Ec2, OpenStack or AltCloud datasources for non-x86
+architectures where DMI may not be accessible.
+
+Datasource detection provided by ds-identify in cloud-init now requires strict
+identification based on DMI platform information, kernel command line or
+`datasource_list:` system configuration in /etc/cloud/cloud.cfg.d.
+
+Prior to this change, ds-identify would allow non-x86 architectures without
+strict identifying platform information to run in a discovery mode which would
+attempt to reach out to well known static link-local IPs to attempt to
+retrieve configuration once system networking is up.
+
+To mitigate the potential of a bad-actor in a local network responding
+to such provisioning requests from cloud-init clients, ds-identify will no
+longer allow this late discovery mode for platforms unable to expose clear
+identifying characteristics of a known cloud-init datasource.
+
+The most likely affected cloud platforms are AltCloud, Ec2 and OpenStack for
+non-x86 architectures where DMI data is not exposed by the kernel.
+
+If your non-x86 architecture or images no longer detect the proper datasource,
+any of the following steps can ensure proper detection of cloud-init config:
+
+- Provide kernel commandline containing ``ds=<lowercase_datasource_name>``
+  which forces ds-identify to discover a specific datasource.
+- Image creators: provide a config file part such as
+  :file:`/etc/cloud/cloud.cfg.d/*.cfg` containing the
+  case-sensitive ``datasource_list: [ <datasource_name> ]`` to force cloud-init
+  to use a specific datasource without performing discovery.
+
+For example, to force OpenStack discovery in cloud-init any of the following
+approaches work:
+
+- OpenStack: `attach a ConfigDrive`_ as an alternative config source
+- Kernel command line containing ``ds=openstack``
+- Custom images provide :file:`/etc/cloud/cloud.cfg.d/91-set-datasource.cfg`
+  containing:
+
+.. code-block:: yaml
+
+   datasource_list: [ OpenStack ]
+
+
 24.3
 ====
 
@@ -148,5 +196,6 @@ Workarounds include updating the kernel command line and optionally configuring
 a ``datasource_list`` in ``/etc/cloud/cloud.cfg.d/*.cfg``.
 
 
+.. _attach a ConfigDrive: https://docs.openstack.org/nova/2024.1/admin/config-drive.html
 .. _this patch: https://github.com/canonical/cloud-init/blob/ubuntu/noble/debian/patches/no-single-process.patch
 .. _Python3 equivalent:  https://github.com/canonical/cloud-init/pull/5489#issuecomment-2408210561
diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py
index 5d47e552b..9b3828ce6 100644
--- a/tests/unittests/test_ds_identify.py
+++ b/tests/unittests/test_ds_identify.py
@@ -208,9 +208,9 @@ system_info:
 """
 
 POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled"
-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled"
-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled"
-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled"
+POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled"
+DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled"
+DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled"
 DI_EC2_STRICT_ID_DEFAULT = "true"
 OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1"
 
@@ -937,7 +937,7 @@ class TestDsIdentify(DsIdentifyBase):
         self._test_ds_found("OpenStack-AssetTag-Compute")
 
     def test_openstack_on_non_intel_is_maybe(self):
-        """On non-Intel, openstack without dmi info is maybe.
+        """On non-Intel, openstack without dmi info is none.
 
         nova does not identify itself on platforms other than intel.
         https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova"""
@@ -957,10 +957,9 @@ class TestDsIdentify(DsIdentifyBase):
 
         # updating the uname to ppc64 though should get a maybe.
         data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]})
-        (_, _, err, _, _) = self._check_via_dict(
-            data, RC_FOUND, dslist=["OpenStack", "None"]
-        )
+        (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND)
         self.assertIn("check for 'OpenStack' returned maybe", err)
+        self.assertIn("No ds found", err)
 
     def test_default_ovf_is_found(self):
         """OVF is identified found when ovf/ovf-env.xml seed file exists."""
diff --git a/tools/ds-identify b/tools/ds-identify
index e00b05e80..5644b1e39 100755
--- a/tools/ds-identify
+++ b/tools/ds-identify
@@ -14,7 +14,7 @@
 #   The format is:
 #        <mode>,found=value,maybe=value,notfound=value
 #   default setting is:
-#     search,found=all,maybe=all,notfound=disabled
+#     search,found=all,maybe=none,notfound=disabled
 #
 #   kernel command line option: ci.di.policy=<policy>
 #   example line in /etc/cloud/ds-identify.cfg:
@@ -40,7 +40,7 @@
 #         first: use the first found do no further checking
 #         all: enable all DS_FOUND
 #
-#      maybe: (default=all)
+#      maybe: (default=none)
 #       if nothing returned 'found', then how to handle maybe.
 #       no network sources are allowed to return 'maybe'.
 #         all: enable all DS_MAYBE
@@ -100,8 +100,8 @@ DI_MAIN=${DI_MAIN:-main}
 
 DI_BLKID_EXPORT_OUT=""
 DI_GEOM_LABEL_STATUS_OUT=""
-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}"
-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}"
+DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}"
+DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}"
 DI_DMI_BOARD_NAME=""
 DI_DMI_CHASSIS_ASSET_TAG=""
 DI_DMI_PRODUCT_NAME=""
-- 
2.39.3