102 lines
4.9 KiB
Diff
102 lines
4.9 KiB
Diff
From b1a90189bfe562ecc57cd3e91c86ac5206b89b99 Mon Sep 17 00:00:00 2001
|
|
From: Pavel Valena <pvalena@redhat.com>
|
|
Date: Thu, 7 May 2026 00:45:31 +0200
|
|
Subject: [PATCH 33/34] fix(iscsi): replace `echo` writes with `printf` to
|
|
prevent variable injection
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use printf with explicit variable escaping `%q` for shell scripts:
|
|
- mount-lun.sh hookdir script (iscsi_lun variable)
|
|
- udev rule (iscsi_lun sanitized via tr -d '"')
|
|
- initiatorname.iscsi (sourced as shell at iscsiroot.sh:161-163)
|
|
|
|
Note: initiatorname.iscsi is also read by iscsid as plain text (no
|
|
shell unquoting). For valid IQNs ([a-z0-9.:_-]), %q is a no-op, so
|
|
iscsid sees the value unchanged. For malicious values with special
|
|
characters, %q would produce shell escaping that iscsid reads
|
|
literally — breaking the connection rather than allowing injection.
|
|
|
|
(cherry picked from commit e61fe6afe015744baebfd96411015ae360c1af08)
|
|
|
|
Related: RHEL-170844
|
|
---
|
|
modules.d/95iscsi/iscsiroot.sh | 10 +++++-----
|
|
modules.d/95iscsi/parse-iscsiroot.sh | 4 ++--
|
|
2 files changed, 7 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/modules.d/95iscsi/iscsiroot.sh b/modules.d/95iscsi/iscsiroot.sh
|
|
index d22e958c..1898ef57 100755
|
|
--- a/modules.d/95iscsi/iscsiroot.sh
|
|
+++ b/modules.d/95iscsi/iscsiroot.sh
|
|
@@ -144,7 +144,7 @@ handle_netroot() {
|
|
|
|
if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then
|
|
iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name)
|
|
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
|
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
|
rm -f /etc/iscsi/initiatorname.iscsi
|
|
mkdir -p /etc/iscsi
|
|
ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
|
|
@@ -165,7 +165,7 @@ handle_netroot() {
|
|
|
|
if [ -z "$iscsi_initiator" ]; then
|
|
iscsi_initiator=$(iscsi-iname)
|
|
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
|
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
|
rm -f /etc/iscsi/initiatorname.iscsi
|
|
mkdir -p /etc/iscsi
|
|
ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
|
|
@@ -189,7 +189,7 @@ handle_netroot() {
|
|
iscsi_lun=0
|
|
fi
|
|
|
|
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
|
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
|
ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi
|
|
if ! [ -e /etc/iscsi/initiatorname.iscsi ]; then
|
|
mkdir -p /etc/iscsi
|
|
@@ -210,14 +210,14 @@ handle_netroot() {
|
|
|
|
if [ "$root" = "dhcp" ] || [ "$netroot" = "dhcp" ]; then
|
|
# if root is not specified try to mount the whole iSCSI LUN
|
|
- printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$iscsi_lun" >> /etc/udev/rules.d/99-iscsi-root.rules
|
|
+ printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$(printf '%s' "$iscsi_lun" | tr -d '"')" >> /etc/udev/rules.d/99-iscsi-root.rules
|
|
udevadm control --reload
|
|
write_fs_tab /dev/root
|
|
wait_for_dev -n /dev/root
|
|
|
|
# install mount script
|
|
[ -z "$DRACUT_SYSTEMD" ] \
|
|
- && echo "iscsi_lun=$iscsi_lun . /bin/mount-lun.sh " > "$hookdir"/mount/01-$$-iscsi.sh
|
|
+ && printf 'iscsi_lun=%q . /bin/mount-lun.sh\n' "$iscsi_lun" > "$hookdir"/mount/01-$$-iscsi.sh
|
|
fi
|
|
|
|
if strglobin "$iscsi_target_ip" '*:*:*' && ! strglobin "$iscsi_target_ip" '['; then
|
|
diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh
|
|
index a388bec1..d932d4f7 100755
|
|
--- a/modules.d/95iscsi/parse-iscsiroot.sh
|
|
+++ b/modules.d/95iscsi/parse-iscsiroot.sh
|
|
@@ -111,7 +111,7 @@ fi
|
|
|
|
if arg=$(getarg rd.iscsi.initiator -d iscsi_initiator=) && [ -n "$arg" ] && ! [ -f /run/initiatorname.iscsi ]; then
|
|
iscsi_initiator=$arg
|
|
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
|
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
|
ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi
|
|
rm -f /etc/iscsi/initiatorname.iscsi
|
|
mkdir -p /etc/iscsi
|
|
@@ -127,7 +127,7 @@ fi
|
|
if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then
|
|
iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name)
|
|
if [ -n "$iscsi_initiator" ]; then
|
|
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
|
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
|
rm -f /etc/iscsi/initiatorname.iscsi
|
|
mkdir -p /etc/iscsi
|
|
ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
|
|
--
|
|
2.54.0
|
|
|