1 |
From e40f18454d0fbae93812fa25c78fabec58270a67 Mon Sep 17 00:00:00 2001 |
2 |
From: William Cohen <wcohen@redhat.com> |
3 |
Date: Tue, 10 May 2011 16:42:31 -0400 |
4 |
Subject: [PATCH 4/4] Do additional checks on user supplied arguments |
5 |
|
6 |
Avoid blindly setting variable to user-supplied values. Check to the values |
7 |
to make sure they do not contain odd punctuation to address CVE-2011-1760. |
8 |
|
9 |
The patch was ported by Luciano Bello |
10 |
--- |
11 |
utils/opcontrol | 36 ++++++++++++++++++++++-------------- |
12 |
1 files changed, 22 insertions(+), 14 deletions(-) |
13 |
|
14 |
--- a/utils/opcontrol |
15 |
+++ b/utils/opcontrol |
16 |
@@ -60,6 +60,43 @@ |
17 |
fi |
18 |
} |
19 |
|
20 |
+# guess_number_base() checks if string is a valid octal(8), hexidecimal(16), |
21 |
+# or decimal number(10). The value is returned in $?. Returns 0, if string |
22 |
+# isn't a octal, hexidecimal, or decimal number. |
23 |
+guess_number_base() |
24 |
+{ |
25 |
+ if [[ "$1" =~ ^0[0-7]*$ ]] ; then |
26 |
+ return 8; |
27 |
+ elif [[ "$1" =~ ^0x[0-9a-fA-F]+$ ]] ; then |
28 |
+ return 16; |
29 |
+ elif [[ "$1" =~ ^[1-9][0-9]*$ ]] ; then |
30 |
+ return 10; |
31 |
+ else |
32 |
+ return 0; |
33 |
+ fi |
34 |
+} |
35 |
+ |
36 |
+# check value is a valid number |
37 |
+error_if_not_number() |
38 |
+{ |
39 |
+ error_if_empty $1 $2 |
40 |
+ guess_number_base $2 |
41 |
+ if test "$?" -eq 0 ; then |
42 |
+ echo "Argument for $1, $2, is not a valid number." >&2 |
43 |
+ exit 1 |
44 |
+ fi |
45 |
+} |
46 |
+ |
47 |
+error_if_invalid_arg() |
48 |
+{ |
49 |
+ error_if_empty $1 $2 |
50 |
+ clean_val="`echo "$2" | tr -cd '[:alnum:]_:/,\-.'`" |
51 |
+ if [ "x$2" != "x$clean_val" ]; then |
52 |
+ echo "Argument for $1, $2, is not valid argument." >&2 |
53 |
+ exit 1 |
54 |
+ fi |
55 |
+} |
56 |
+ |
57 |
# rm_device arguments $1=file_name |
58 |
rm_device() |
59 |
{ |
60 |
@@ -436,7 +473,7 @@ |
61 |
# load the actual information from file |
62 |
while IFS== read -r arg val; do |
63 |
clean_arg="`echo "${arg}" | tr -cd '[:alnum:]_'`" |
64 |
- clean_val="`echo "${val}" | tr -cd '[:alnum:]_:/.-'`" |
65 |
+ clean_val="`echo "${val}" | tr -cd '[:alnum:]_:/,\-.'`" |
66 |
if [ "x$arg" != "x$clean_arg" ]; then |
67 |
echo "Invalid variable \"$arg\" in $SETUP_FILE." |
68 |
exit 1 |
69 |
@@ -748,7 +785,7 @@ |
70 |
;; |
71 |
|
72 |
--save) |
73 |
- error_if_empty $arg $val |
74 |
+ error_if_invalid_arg $arg $val |
75 |
DUMP=yes |
76 |
SAVE_SESSION=yes |
77 |
SAVE_NAME=$val |
78 |
@@ -773,7 +810,7 @@ |
79 |
# already processed |
80 |
;; |
81 |
--buffer-size) |
82 |
- error_if_empty $arg $val |
83 |
+ error_if_not_number $arg $val |
84 |
BUF_SIZE=$val |
85 |
DO_SETUP=yes |
86 |
;; |
87 |
@@ -782,7 +819,7 @@ |
88 |
echo "$arg unsupported for this kernel version" |
89 |
exit 1 |
90 |
fi |
91 |
- error_if_empty $arg $val |
92 |
+ error_if_not_number $arg $val |
93 |
BUF_WATERSHED=$val |
94 |
DO_SETUP=yes |
95 |
;; |
96 |
@@ -791,12 +828,12 @@ |
97 |
echo "$arg unsupported for this kernel version" |
98 |
exit 1 |
99 |
fi |
100 |
- error_if_empty $arg $val |
101 |
+ error_if_not_number $arg $val |
102 |
CPU_BUF_SIZE=$val |
103 |
DO_SETUP=yes |
104 |
;; |
105 |
-e|--event) |
106 |
- error_if_empty $arg $val |
107 |
+ error_if_invalid_arg $arg $val |
108 |
# reset any read-in defaults from daemonrc |
109 |
if test "$SEEN_EVENT" = "0"; then |
110 |
NR_CHOSEN=0 |
111 |
@@ -817,7 +854,6 @@ |
112 |
DO_SETUP=yes |
113 |
;; |
114 |
-c|--callgraph) |
115 |
- error_if_empty $arg $val |
116 |
if test ! -f $MOUNT/backtrace_depth; then |
117 |
echo "Call-graph profiling unsupported on this kernel/hardware" >&2 |
118 |
exit 1 |
119 |
@@ -826,7 +862,7 @@ |
120 |
DO_SETUP=yes |
121 |
;; |
122 |
--vmlinux) |
123 |
- error_if_empty $arg $val |
124 |
+ error_if_invalid_arg $arg $val |
125 |
VMLINUX=$val |
126 |
DO_SETUP=yes |
127 |
;; |
128 |
@@ -835,32 +871,32 @@ |
129 |
DO_SETUP=yes |
130 |
;; |
131 |
--kernel-range) |
132 |
- error_if_empty $arg $val |
133 |
+ error_if_invalid_arg $arg $val |
134 |
KERNEL_RANGE=$val |
135 |
DO_SETUP=yes |
136 |
;; |
137 |
--xen) |
138 |
- error_if_empty $arg $val |
139 |
+ error_if_invalid_arg $arg $val |
140 |
XENIMAGE=$val |
141 |
DO_SETUP=yes |
142 |
;; |
143 |
--active-domains) |
144 |
- error_if_empty $arg $val |
145 |
+ error_if_invalid_arg $arg $val |
146 |
ACTIVE_DOMAINS=$val |
147 |
DO_SETUP=yes |
148 |
;; |
149 |
--note-table-size) |
150 |
- error_if_empty $arg $val |
151 |
if test "$KERNEL_SUPPORT" = "yes"; then |
152 |
echo "\"$arg\" meaningless on this kernel" >&2 |
153 |
exit 1 |
154 |
else |
155 |
+ error_if_not_number $arg $val |
156 |
NOTE_SIZE=$val |
157 |
fi |
158 |
DO_SETUP=yes |
159 |
;; |
160 |
-i|--image) |
161 |
- error_if_empty $arg $val |
162 |
+ error_if_invalid_arg $arg $val |
163 |
if test "$val" = "all"; then |
164 |
IMAGE_FILTER= |
165 |
else |
166 |
@@ -873,6 +909,7 @@ |
167 |
if test -z "$val"; then |
168 |
VERBOSE="all" |
169 |
else |
170 |
+ error_if_invalid_arg $arg $val |
171 |
VERBOSE=$val |
172 |
fi |
173 |
;; |
174 |
@@ -1809,7 +1846,7 @@ |
175 |
exit 0 |
176 |
;; |
177 |
--session-dir) |
178 |
- error_if_empty $arg $val |
179 |
+ error_if_invalid_arg $arg $val |
180 |
SESSION_DIR="$val" |
181 |
DO_SETUP=yes |
182 |
# do not exit early |