Source: nova
Version: 2:31.0.0-6+deb13u2
Severity: serious
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>
### Summary
An authenticated attacker can bypass Placement API resource constraints by
injecting the `_nova_check_type` sentinel value into the computing allocation
flow via the `os:scheduler_hints` property. This tricks the scheduler into
evaluating the creation context as a `rebuild` rather than a standard create,
skipping Placement resource claims entirely. It inherently allows uncontrolled
ghost instance provisioning, denying resources to legitimate users and crashing
compute hosts due to physical exhaustion.
### Details
The OpenStack Nova Scheduler component (nova/scheduler/utils.py) utilizes the
function `request_is_rebuild(spec_obj)` whose primary purpose is to determine
whether a pending scheduling request correctly corresponds to an instance
rebuild. During a legitimate rebuild operation, an instance remains on its
original host, and therefore Nova does not need to allocate fresh placement
metrics for it.
However, the architecture flaw arises due to a lack of strict parameter
isolation at the external API boundary:
1. The JSON schema for the `/servers` create API
(nova/api/openstack/compute/schemas/servers.py) explicitly specifies
`additionalProperties: True` for the `os:scheduler_hints` block, failing to
filter internal-only sentinel values prefixed with `_nova_`.
2. The user-provided `scheduler_hints` is directly assigned in
nova/api/openstack/compute/servers.py without stripping internal protected
variables before passing the request down to the RPC worker.
3. The type coercion performed by OpenStack (`DictOfListOfStringsField` in
nova/objects/request_spec.py) transforms the scalar string `"rebuild"` to a
list `['rebuild']`, making it exactly match the scheduler's explicit check
returning `check_type == ['rebuild']` inside nova/scheduler/utils.py.
As a result, an attacker uploading `{"_nova_check_type": "rebuild"}` tricks
the resource claiming routine into early returning `True` (bypassing the
Placement capacity assignment).
