tools/qvm-start: validate output of losetup command

QubesOS/qubes-issues#4860
2019-02-28 06:19:56 +01:00 · 2019-02-28 06:19:56 +01:00 · fb910a71cf
commit fb910a71cf
parent a2629b1239
1 changed files with 12 additions and 2 deletions
--- a/qubesadmin/tools/qvm_start.py
+++ b/qubesadmin/tools/qvm_start.py
@ -20,6 +20,7 @@

 '''qvm-start - start a domain'''
 import argparse
+import string
 import sys

 import subprocess
@ -114,14 +115,23 @@ def get_drive_assignment(app, drive_str):
            if backend_domain.klass == 'AdminVM':
                loop_name = subprocess.check_output(
                    ['sudo', 'losetup', '-f', '--show', ident])
+                loop_name = loop_name.strip()
            else:
-                loop_name, _ = backend_domain.run_with_args(
+                untrusted_loop_name, _ = backend_domain.run_with_args(
                    'losetup', '-f', '--show', ident,
                    user='root')
+                untrusted_loop_name = untrusted_loop_name.strip()
+                allowed_chars = string.ascii_lowercase + string.digits + '/'
+                allowed_chars = allowed_chars.encode('ascii')
+                if not all(c in allowed_chars for c in untrusted_loop_name):
+                    raise qubesadmin.exc.QubesException(
+                        'Invalid loop device name received from {}'.format(
+                            backend_domain.name))
+                loop_name = untrusted_loop_name
+                del untrusted_loop_name
        except subprocess.CalledProcessError:
            raise qubesadmin.exc.QubesException(
                'Failed to setup loop device for %s', ident)
-        loop_name = loop_name.strip()
        assert loop_name.startswith(b'/dev/loop')
        ident = loop_name.decode().split('/')[2]
        # wait for device to appear