dracut/SOURCES/0242.patch

From eaf700abda3eb7a1f7eecd6b8f374adc4bfe6349 Mon Sep 17 00:00:00 2001
From: Pavel Valena <pvalena@redhat.com>
Date: Tue, 12 May 2026 03:27:22 +0200
Subject: [PATCH] fix(base): escape arguments in initqueue hook script
 generation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

initqueue.sh writes arguments directly into generated hook scripts
via `echo "$exe" "$@"`. These scripts are later sourced by
dracut-initqueue.sh, so shell metacharacters in arguments (e.g.
DHCP-derived $netroot passed from parse-iscsiroot.sh) execute as
root in initramfs.

Replace `echo` with `printf '%q'` to shell-escape all arguments
before writing them into the hook script, preventing command
injection via DHCP-controlled netroot values.

Remove the fragile embedded single-quote wrapping ("'$var'") from
parse-iscsiroot.sh call sites (lines 90, 102) — those relied on
echo writing quotes verbatim for the shell to strip when sourcing.
With printf '%q', initqueue now handles escaping centrally, so the
manual wrapping is no longer needed and would cause literal quote
characters to leak into iscsiroot arguments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Related: RHEL-170847
---
 modules.d/95iscsi/parse-iscsiroot.sh | 6 +++---
 modules.d/99base/initqueue.sh        | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh
index 1a26041d..241f1bdd 100755
--- a/modules.d/95iscsi/parse-iscsiroot.sh
+++ b/modules.d/95iscsi/parse-iscsiroot.sh
@@ -87,7 +87,7 @@ if [ -n "$iscsi_firmware" ]; then
     echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-firmware' ]" > $hookdir/initqueue/finished/iscsi_started.sh
     initqueue --unique --online /sbin/iscsiroot online "iscsi:" "$NEWROOT"
     initqueue --unique --onetime --timeout /sbin/iscsiroot timeout "iscsi:" "$NEWROOT"
-    initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "'$NEWROOT'"
+    initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "$NEWROOT"
 fi
 
 # ISCSI actually supported?
@@ -98,8 +98,8 @@ fi
 modprobe --all -b -q qla4xxx cxgb3i cxgb4i bnx2i be2iscsi
 
 if [ -n "$netroot" ] && [ "$root" != "/dev/root" ] && [ "$root" != "dhcp" ]; then
-    if ! getargbool 1 rd.neednet >/dev/null || ! getarg "ip="; then
-        initqueue --unique --onetime --settled /sbin/iscsiroot dummy "'$netroot'" "'$NEWROOT'"
+    if ! getargbool 1 rd.neednet > /dev/null || ! getarg "ip="; then
+        initqueue --unique --onetime --settled /sbin/iscsiroot dummy "$netroot" "$NEWROOT"
     fi
 fi
 
diff --git a/modules.d/99base/initqueue.sh b/modules.d/99base/initqueue.sh
index c3016383..184414ab 100755
--- a/modules.d/99base/initqueue.sh
+++ b/modules.d/99base/initqueue.sh
@@ -52,7 +52,8 @@ fi
 {
     [ -n "$onetime" ] && echo '[ -e "$job" ] && rm -f -- "$job"'
     [ -n "$env" ] && echo "$env"
-    echo "$exe" "$@"
+    printf '%q ' "$exe" "$@"
+    printf '\n'
 } > "/tmp/$$-${job}.sh"
 
 mv -f "/tmp/$$-${job}.sh" "$hookdir/initqueue${qname}/${job}.sh"