[openwrt/openwrt] base-files: don't evaluate block-device uevent

LEDE Commits lede-commits at lists.infradead.org
Mon Feb 12 15:08:26 PST 2018 

dangole pushed a commit to openwrt/openwrt.git, branch master:
https://git.lede-project.org/267873ac9b9e5565f1f1550c931c413f5b5dda9d

commit 267873ac9b9e5565f1f1550c931c413f5b5dda9d
Author: Daniel Golle <daniel at makrotopia.org>
AuthorDate: Mon Feb 12 23:36:54 2018 +0100

    base-files: don't evaluate block-device uevent
    
    Current code and also before commit da52dd0c83 was vulnerable to shell
    injection using volume lables in the GPT partition table of block
    devices. Given that partition names can be freely defined in GPT tables
    we really shouldn't evaluate a string which is potentially crafted with
    evil intentions. Hence rather use `export -n` to absorb the uevent's
    variables into the environment.
    
    Fixes commit da52dd0c83 (base-files: quote values when evaluating uevent)
    Signed-off-by: Daniel Golle <daniel at makrotopia.org>
    [mschiffer at universe-factory.net: suggested export -n usage]
---
 package/base-files/files/lib/upgrade/common.sh | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/package/base-files/files/lib/upgrade/common.sh b/package/base-files/files/lib/upgrade/common.sh
index 616131c..5f5c9dc 100644
--- a/package/base-files/files/lib/upgrade/common.sh
+++ b/package/base-files/files/lib/upgrade/common.sh
@@ -101,7 +101,7 @@ get_magic_long() {
 }
 
 export_bootdevice() {
-	local cmdline uuid disk uevent
+	local cmdline uuid disk uevent line
 	local MAJOR MINOR DEVNAME DEVTYPE
 
 	if read cmdline < /proc/cmdline; then
@@ -134,7 +134,9 @@ export_bootdevice() {
 		esac
 
 		if [ -e "$uevent" ]; then
-			eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")"
+			while read line; do
+				export -n "$line"
+			done < "$uevent"
 			export BOOTDEV_MAJOR=$MAJOR
 			export BOOTDEV_MINOR=$MINOR
 			return 0
@@ -146,10 +148,12 @@ export_bootdevice() {
 
 export_partdevice() {
 	local var="$1" offset="$2"
-	local uevent MAJOR MINOR DEVNAME DEVTYPE
+	local uevent line MAJOR MINOR DEVNAME DEVTYPE
 
 	for uevent in /sys/class/block/*/uevent; do
-		eval "$(sed "s/=\(.*\)/=\'\1\'/" < "$uevent")"
+		while read line; do
+			export -n "$line"
+		done < "$uevent"
 		if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then
 			export "$var=$DEVNAME"
 			return 0

More information about the lede-commits mailing list