From fb910a71cf445020c527ceddc4b769928e06ab1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 28 Feb 2019 06:19:56 +0100 Subject: [PATCH] tools/qvm-start: validate output of losetup command QubesOS/qubes-issues#4860 --- qubesadmin/tools/qvm_start.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/qubesadmin/tools/qvm_start.py b/qubesadmin/tools/qvm_start.py index 4670f44..260d713 100644 --- a/qubesadmin/tools/qvm_start.py +++ b/qubesadmin/tools/qvm_start.py @@ -20,6 +20,7 @@ '''qvm-start - start a domain''' import argparse +import string import sys import subprocess @@ -114,14 +115,23 @@ def get_drive_assignment(app, drive_str): if backend_domain.klass == 'AdminVM': loop_name = subprocess.check_output( ['sudo', 'losetup', '-f', '--show', ident]) + loop_name = loop_name.strip() else: - loop_name, _ = backend_domain.run_with_args( + untrusted_loop_name, _ = backend_domain.run_with_args( 'losetup', '-f', '--show', ident, user='root') + untrusted_loop_name = untrusted_loop_name.strip() + allowed_chars = string.ascii_lowercase + string.digits + '/' + allowed_chars = allowed_chars.encode('ascii') + if not all(c in allowed_chars for c in untrusted_loop_name): + raise qubesadmin.exc.QubesException( + 'Invalid loop device name received from {}'.format( + backend_domain.name)) + loop_name = untrusted_loop_name + del untrusted_loop_name except subprocess.CalledProcessError: raise qubesadmin.exc.QubesException( 'Failed to setup loop device for %s', ident) - loop_name = loop_name.strip() assert loop_name.startswith(b'/dev/loop') ident = loop_name.decode().split('/')[2] # wait for device to appear