>From e40f18454d0fbae93812fa25c78fabec58270a67 Mon Sep 17 00:00:00 2001 From: William Cohen Date: Tue, 10 May 2011 16:42:31 -0400 Subject: [PATCH 4/4] Do additional checks on user supplied arguments Avoid blindly setting variable to user-supplied values. Check to the values to make sure they do not contain odd punctuation to address CVE-2011-1760. --- utils/opcontrol | 36 ++++++++++++++++++++++-------------- 1 files changed, 22 insertions(+), 14 deletions(-) diff --git a/utils/opcontrol b/utils/opcontrol index 7b82b99..6cc0198 100644 --- a/utils/opcontrol +++ b/utils/opcontrol @@ -68,6 +68,7 @@ guess_number_base() # check value is a valid number error_if_not_number() { + error_if_empty $1 $2 guess_number_base $2 if test "$?" -eq 0 ; then echo "Argument for $1, $2, is not a valid number." >&2 @@ -85,6 +86,16 @@ error_if_not_basename() fi } +error_if_invalid_arg() +{ + error_if_empty $1 $2 + clean_val="`echo "$2" | tr -cd '[:alnum:]_:/,\-.'`" + if [ "x$2" != "x$clean_val" ]; then + echo "Argument for $1, $2, is not valid argument." >&2 + exit 1 + fi +} + # rm_device arguments $1=file_name rm_device() { @@ -471,7 +482,7 @@ do_load_setup() # load the actual information from file while IFS== read -r arg val; do clean_arg="`echo "${arg}" | tr -cd '[:alnum:]_'`" - clean_val="`echo "${val}" | tr -cd '[:alnum:]_:/.-'`" + clean_val="`echo "${val}" | tr -cd '[:alnum:]_:/,\-.'`" if [ "x$arg" != "x$clean_arg" ]; then echo "Invalid variable \"$arg\" in $SETUP_FILE." exit 1 @@ -783,7 +794,7 @@ do_options() ;; --save) - error_if_empty $arg $val + error_if_invalid_arg $arg $val DUMP=yes SAVE_SESSION=yes SAVE_NAME=$val @@ -808,7 +819,6 @@ do_options() # already processed ;; --buffer-size) - error_if_empty $arg $val error_if_not_number $arg $val BUF_SIZE=$val DO_SETUP=yes @@ -818,7 +828,6 @@ do_options() echo "$arg unsupported for this kernel version" exit 1 fi - error_if_empty $arg $val error_if_not_number $arg $val BUF_WATERSHED=$val DO_SETUP=yes @@ -828,13 +837,12 @@ do_options() echo "$arg unsupported for this kernel version" exit 1 fi - error_if_empty $arg $val error_if_not_number $arg $val CPU_BUF_SIZE=$val DO_SETUP=yes ;; -e|--event) - error_if_empty $arg $val + error_if_invalid_arg $arg $val # reset any read-in defaults from daemonrc if test "$SEEN_EVENT" = "0"; then NR_CHOSEN=0 @@ -855,7 +863,6 @@ do_options() DO_SETUP=yes ;; -c|--callgraph) - error_if_empty $arg $val if test ! -f $MOUNT/backtrace_depth; then echo "Call-graph profiling unsupported on this kernel/hardware" >&2 exit 1 @@ -865,7 +872,7 @@ do_options() DO_SETUP=yes ;; --vmlinux) - error_if_empty $arg $val + error_if_invalid_arg $arg $val VMLINUX=$val DO_SETUP=yes ;; @@ -874,32 +881,32 @@ do_options() DO_SETUP=yes ;; --kernel-range) - error_if_empty $arg $val + error_if_invalid_arg $arg $val KERNEL_RANGE=$val DO_SETUP=yes ;; --xen) - error_if_empty $arg $val + error_if_invalid_arg $arg $val XENIMAGE=$val DO_SETUP=yes ;; --active-domains) - error_if_empty $arg $val + error_if_invalid_arg $arg $val ACTIVE_DOMAINS=$val DO_SETUP=yes ;; --note-table-size) - error_if_empty $arg $val if test "$KERNEL_SUPPORT" = "yes"; then echo "\"$arg\" meaningless on this kernel" >&2 exit 1 else + error_if_not_number $arg $val NOTE_SIZE=$val fi DO_SETUP=yes ;; -i|--image) - error_if_empty $arg $val + error_if_invalid_arg $arg $val if test "$val" = "all"; then IMAGE_FILTER= else @@ -912,6 +919,7 @@ do_options() if test -z "$val"; then VERBOSE="all" else + error_if_invalid_arg $arg $val VERBOSE=$val fi ;; @@ -1845,7 +1853,7 @@ check_options_early() exit 0 ;; --session-dir) - error_if_empty $arg $val + error_if_invalid_arg $arg $val SESSION_DIR="$val" DO_SETUP=yes # do not exit early -- 1.7.1