From 05c0f8964a5c845348b8a6ce36560194b6cb2729 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Thu, 14 May 2026 14:20:17 +0200 Subject: [PATCH 34/36] fix(base): escape arguments in initqueue hook script generation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit initqueue.sh writes arguments directly into generated hook scripts via `echo "$exe" "$@"`. These scripts are later sourced by dracut-initqueue.sh, so shell metacharacters in arguments (e.g. DHCP-derived $netroot passed from parse-iscsiroot.sh) execute as root in initramfs. Replace `echo` with `printf '%q'` to shell-escape all arguments before writing them into the hook script, preventing command injection via DHCP-controlled netroot values. Remove the fragile embedded single-quote wrapping ("'$var'") from parse-iscsiroot.sh call sites (lines 90, 102) — those relied on echo writing quotes verbatim for the shell to strip when sourcing. With printf '%q', initqueue now handles escaping centrally, so the manual wrapping is no longer needed and would cause literal quote characters to leak into iscsiroot arguments. Co-Authored-By: Claude Opus 4.6 Related: RHEL-170844 --- modules.d/95iscsi/parse-iscsiroot.sh | 4 ++-- modules.d/99base/initqueue.sh | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh index d932d4f7..bfc2270d 100755 --- a/modules.d/95iscsi/parse-iscsiroot.sh +++ b/modules.d/95iscsi/parse-iscsiroot.sh @@ -89,7 +89,7 @@ if [ -n "$iscsi_firmware" ]; then echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-firmware' ]" > "$hookdir"/initqueue/finished/iscsi_started.sh /sbin/initqueue --unique --online /sbin/iscsiroot online "iscsi:" "$NEWROOT" /sbin/initqueue --unique --onetime --timeout /sbin/iscsiroot timeout "iscsi:" "$NEWROOT" - /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "'$NEWROOT'" + /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "$NEWROOT" fi # ISCSI actually supported? @@ -105,7 +105,7 @@ modprobe -b -q be2iscsi if [ -n "$netroot" ] && [ "$root" != "/dev/root" ] && [ "$root" != "dhcp" ]; then if ! getargbool 1 rd.neednet > /dev/null || ! getarg "ip="; then - /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot dummy "'$netroot'" "'$NEWROOT'" + /sbin/initqueue --unique --onetime --settled /sbin/iscsiroot dummy "$netroot" "$NEWROOT" fi fi diff --git a/modules.d/99base/initqueue.sh b/modules.d/99base/initqueue.sh index 46a00d2a..1caa5273 100755 --- a/modules.d/99base/initqueue.sh +++ b/modules.d/99base/initqueue.sh @@ -64,7 +64,8 @@ fi # shellcheck disable=SC2016 [ -n "$onetime" ] && echo '[ -e "$job" ] && rm -f -- "$job"' [ -n "$env" ] && echo "$env" - echo "$exe" "$@" + printf '%q ' "$exe" "$@" + printf '\n' } > "/tmp/$$-${job}.sh" mv -f "/tmp/$$-${job}.sh" "$hookdir/initqueue${qname}/${job}.sh" -- 2.54.0