tools/qvm-start: validate output of losetup command

QubesOS/qubes-issues#4860

qubesadmin/tools/qvm_start.py

@@ -20,6 +20,7 @@
 
 '''qvm-start - start a domain'''
 import argparse
+import string
 import sys
 
 import subprocess
@@ -114,14 +115,23 @@ def get_drive_assignment(app, drive_str):
             if backend_domain.klass == 'AdminVM':
                 loop_name = subprocess.check_output(
                     ['sudo', 'losetup', '-f', '--show', ident])
+                loop_name = loop_name.strip()
             else:
-                loop_name, _ = backend_domain.run_with_args(
+                untrusted_loop_name, _ = backend_domain.run_with_args(
                     'losetup', '-f', '--show', ident,
                     user='root')
+                untrusted_loop_name = untrusted_loop_name.strip()
+                allowed_chars = string.ascii_lowercase + string.digits + '/'
+                allowed_chars = allowed_chars.encode('ascii')
+                if not all(c in allowed_chars for c in untrusted_loop_name):
+                    raise qubesadmin.exc.QubesException(
+                        'Invalid loop device name received from {}'.format(
+                            backend_domain.name))
+                loop_name = untrusted_loop_name
+                del untrusted_loop_name
         except subprocess.CalledProcessError:
             raise qubesadmin.exc.QubesException(
                 'Failed to setup loop device for %s', ident)
-        loop_name = loop_name.strip()
         assert loop_name.startswith(b'/dev/loop')
         ident = loop_name.decode().split('/')[2]
         # wait for device to appear