From e40f18454d0fbae93812fa25c78fabec58270a67 Mon Sep 17 00:00:00 2001
From: William Cohen <wcohen@redhat.com>
Date: Tue, 10 May 2011 16:42:31 -0400
Subject: [PATCH 4/4] Do additional checks on user supplied arguments
Avoid blindly setting variable to user-supplied values. Check to the values
to make sure they do not contain odd punctuation to address CVE-2011-1760.
The patch was ported by Luciano Bello
---
utils/opcontrol | 36 ++++++++++++++++++++++--------------
1 files changed, 22 insertions(+), 14 deletions(-)
--- a/utils/opcontrol
+++ b/utils/opcontrol
@@ -60,6 +60,43 @@
fi
}
+# guess_number_base() checks if string is a valid octal(8), hexidecimal(16),
+# or decimal number(10). The value is returned in $?. Returns 0, if string
+# isn't a octal, hexidecimal, or decimal number.
+guess_number_base()
+{
+ if [[ "$1" =~ ^0[0-7]*$ ]] ; then
+ return 8;
+ elif [[ "$1" =~ ^0x[0-9a-fA-F]+$ ]] ; then
+ return 16;
+ elif [[ "$1" =~ ^[1-9][0-9]*$ ]] ; then
+ return 10;
+ else
+ return 0;
+ fi
+}
+
+# check value is a valid number
+error_if_not_number()
+{
+ error_if_empty $1 $2
+ guess_number_base $2
+ if test "$?" -eq 0 ; then
+ echo "Argument for $1, $2, is not a valid number." >&2
+ exit 1
+ fi
+}
+
+error_if_invalid_arg()
+{
+ error_if_empty $1 $2
+ clean_val="`echo "$2" | tr -cd '[:alnum:]_:/,\-.'`"
+ if [ "x$2" != "x$clean_val" ]; then
+ echo "Argument for $1, $2, is not valid argument." >&2
+ exit 1
+ fi
+}
+
# rm_device arguments $1=file_name
rm_device()
{
@@ -436,7 +473,7 @@
# load the actual information from file
while IFS== read -r arg val; do
clean_arg="`echo "${arg}" | tr -cd '[:alnum:]_'`"
- clean_val="`echo "${val}" | tr -cd '[:alnum:]_:/.-'`"
+ clean_val="`echo "${val}" | tr -cd '[:alnum:]_:/,\-.'`"
if [ "x$arg" != "x$clean_arg" ]; then
echo "Invalid variable \"$arg\" in $SETUP_FILE."
exit 1
@@ -748,7 +785,7 @@
;;
--save)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
DUMP=yes
SAVE_SESSION=yes
SAVE_NAME=$val
@@ -773,7 +810,7 @@
# already processed
;;
--buffer-size)
- error_if_empty $arg $val
+ error_if_not_number $arg $val
BUF_SIZE=$val
DO_SETUP=yes
;;
@@ -782,7 +819,7 @@
echo "$arg unsupported for this kernel version"
exit 1
fi
- error_if_empty $arg $val
+ error_if_not_number $arg $val
BUF_WATERSHED=$val
DO_SETUP=yes
;;
@@ -791,12 +828,12 @@
echo "$arg unsupported for this kernel version"
exit 1
fi
- error_if_empty $arg $val
+ error_if_not_number $arg $val
CPU_BUF_SIZE=$val
DO_SETUP=yes
;;
-e|--event)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
# reset any read-in defaults from daemonrc
if test "$SEEN_EVENT" = "0"; then
NR_CHOSEN=0
@@ -817,7 +854,6 @@
DO_SETUP=yes
;;
-c|--callgraph)
- error_if_empty $arg $val
if test ! -f $MOUNT/backtrace_depth; then
echo "Call-graph profiling unsupported on this kernel/hardware" >&2
exit 1
@@ -826,7 +862,7 @@
DO_SETUP=yes
;;
--vmlinux)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
VMLINUX=$val
DO_SETUP=yes
;;
@@ -835,32 +871,32 @@
DO_SETUP=yes
;;
--kernel-range)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
KERNEL_RANGE=$val
DO_SETUP=yes
;;
--xen)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
XENIMAGE=$val
DO_SETUP=yes
;;
--active-domains)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
ACTIVE_DOMAINS=$val
DO_SETUP=yes
;;
--note-table-size)
- error_if_empty $arg $val
if test "$KERNEL_SUPPORT" = "yes"; then
echo "\"$arg\" meaningless on this kernel" >&2
exit 1
else
+ error_if_not_number $arg $val
NOTE_SIZE=$val
fi
DO_SETUP=yes
;;
-i|--image)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
if test "$val" = "all"; then
IMAGE_FILTER=
else
@@ -873,6 +909,7 @@
if test -z "$val"; then
VERBOSE="all"
else
+ error_if_invalid_arg $arg $val
VERBOSE=$val
fi
;;
@@ -1809,7 +1846,7 @@
exit 0
;;
--session-dir)
- error_if_empty $arg $val
+ error_if_invalid_arg $arg $val
SESSION_DIR="$val"
DO_SETUP=yes
# do not exit early
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)