From eaf700abda3eb7a1f7eecd6b8f374adc4bfe6349 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Tue, 12 May 2026 03:27:22 +0200 Subject: [PATCH] fix(base): escape arguments in initqueue hook script generation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit initqueue.sh writes arguments directly into generated hook scripts via `echo "$exe" "$@"`. These scripts are later sourced by dracut-initqueue.sh, so shell metacharacters in arguments (e.g. DHCP-derived $netroot passed from parse-iscsiroot.sh) execute as root in initramfs. Replace `echo` with `printf '%q'` to shell-escape all arguments before writing them into the hook script, preventing command injection via DHCP-controlled netroot values. Remove the fragile embedded single-quote wrapping ("'$var'") from parse-iscsiroot.sh call sites (lines 90, 102) — those relied on echo writing quotes verbatim for the shell to strip when sourcing. With printf '%q', initqueue now handles escaping centrally, so the manual wrapping is no longer needed and would cause literal quote characters to leak into iscsiroot arguments. Co-Authored-By: Claude Opus 4.6 Related: RHEL-170847 --- modules.d/95iscsi/parse-iscsiroot.sh | 6 +++--- modules.d/99base/initqueue.sh | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh index 1a26041d..241f1bdd 100755 --- a/modules.d/95iscsi/parse-iscsiroot.sh +++ b/modules.d/95iscsi/parse-iscsiroot.sh @@ -87,7 +87,7 @@ if [ -n "$iscsi_firmware" ]; then echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-firmware' ]" > $hookdir/initqueue/finished/iscsi_started.sh initqueue --unique --online /sbin/iscsiroot online "iscsi:" "$NEWROOT" initqueue --unique --onetime --timeout /sbin/iscsiroot timeout "iscsi:" "$NEWROOT" - initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "'$NEWROOT'" + initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "$NEWROOT" fi # ISCSI actually supported? @@ -98,8 +98,8 @@ fi modprobe --all -b -q qla4xxx cxgb3i cxgb4i bnx2i be2iscsi if [ -n "$netroot" ] && [ "$root" != "/dev/root" ] && [ "$root" != "dhcp" ]; then - if ! getargbool 1 rd.neednet >/dev/null || ! getarg "ip="; then - initqueue --unique --onetime --settled /sbin/iscsiroot dummy "'$netroot'" "'$NEWROOT'" + if ! getargbool 1 rd.neednet > /dev/null || ! getarg "ip="; then + initqueue --unique --onetime --settled /sbin/iscsiroot dummy "$netroot" "$NEWROOT" fi fi diff --git a/modules.d/99base/initqueue.sh b/modules.d/99base/initqueue.sh index c3016383..184414ab 100755 --- a/modules.d/99base/initqueue.sh +++ b/modules.d/99base/initqueue.sh @@ -52,7 +52,8 @@ fi { [ -n "$onetime" ] && echo '[ -e "$job" ] && rm -f -- "$job"' [ -n "$env" ] && echo "$env" - echo "$exe" "$@" + printf '%q ' "$exe" "$@" + printf '\n' } > "/tmp/$$-${job}.sh" mv -f "/tmp/$$-${job}.sh" "$hookdir/initqueue${qname}/${job}.sh"