Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[device/mellanox] Mitigation for security vulnerability #11877

Merged
merged 12 commits into from
Oct 6, 2022

Conversation

maipbui
Copy link
Contributor

@maipbui maipbui commented Aug 29, 2022

Signed-off-by: maipbui [email protected]

Dependency: PR (#12065) needs to merge first.

Why I did it

subprocess.Popen() and subprocess.check_output() is used with shell=True, which is very dangerous for shell injection.

How I did it

Disable shell=True, enable shell=False

How to verify it

Tested on DUT, compare and verify the output between the original behavior and the new changes' behavior.
testresults.zip

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

Copy link
Collaborator

@qiluo-msft qiluo-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please wait more reviewers to verify and approve.

@maipbui maipbui marked this pull request as ready for review September 1, 2022 04:35
@Yarden-Z
Copy link

I see that this change was done only for 2700, we do not want to backport this?

@maipbui
Copy link
Contributor Author

maipbui commented Sep 13, 2022

I see that this change was done only for 2700, we do not want to backport this?

@Yarden-Z, Qi added backport. can you check you can review and approve?

@Yarden-Z
Copy link

I see that this change was done only for 2700, we do not want to backport this?

@Yarden-Z, Qi added backport. can you check you can review and approve?

Seems as though it is referenced to 2700 in other platforms.
Verified and approved

@lgtm-com
Copy link

lgtm-com bot commented Sep 16, 2022

This pull request fixes 1 alert when merging bd9cf87 into a1b50ca - view on LGTM.com

fixed alerts:

  • 1 for Unused import

Signed-off-by: maipbui <[email protected]>
@lgtm-com
Copy link

lgtm-com bot commented Sep 16, 2022

This pull request fixes 1 alert when merging 20e2cd7 into a1b50ca - view on LGTM.com

fixed alerts:

  • 1 for Unused import

fs_path = p3.communicate()[0].rstrip('\n')
p1.wait()
p2.wait()
if p1.returncode != 0 and p2.returncode != 0 and p3.returncode != 0:
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and

or #Closed

cmd1 = ['fdisk', '-l']
cmd2 = ['grep', 'ONIE boot']
cmd3 = ['awk', '{print $1}']
with subprocess.Popen(cmd1, universal_newlines=True, stdout=subprocess.PIPE) as p1:
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with subprocess.Popen(cmd1, universal_newlines=True, stdout=subprocess.PIPE) as p1:

Possible to move to common library, maybe the 2 cmd function could be extended to multiple cmds. #Closed

@lgtm-com
Copy link

lgtm-com bot commented Sep 18, 2022

This pull request introduces 1 alert and fixes 1 when merging a16ed29 into 1effff9 - view on LGTM.com

new alerts:

  • 1 for Variable defined multiple times

fixed alerts:

  • 1 for Unused import

@maipbui
Copy link
Contributor Author

maipbui commented Sep 20, 2022

@Yarden-Z I made some changes, could you help review?

@maipbui
Copy link
Contributor Author

maipbui commented Sep 20, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@Yarden-Z
Copy link

Yarden-Z commented Oct 3, 2022

@Yarden-Z I made some changes, could you help review?

Went over the new commit, did not find anything new to comment on.

@lgtm-com
Copy link

lgtm-com bot commented Oct 3, 2022

This pull request introduces 1 alert and fixes 1 when merging ba3c5de into 2f46689 - view on LGTM.com

new alerts:

  • 1 for Variable defined multiple times

fixed alerts:

  • 1 for Unused import

Signed-off-by: maipbui <[email protected]>
@lgtm-com
Copy link

lgtm-com bot commented Oct 5, 2022

This pull request introduces 1 alert and fixes 1 when merging 1e62cff into 1f0699f - view on LGTM.com

new alerts:

  • 1 for Variable defined multiple times

fixed alerts:

  • 1 for Unused import

Signed-off-by: maipbui <[email protected]>
@lgtm-com
Copy link

lgtm-com bot commented Oct 5, 2022

This pull request introduces 1 alert and fixes 1 when merging c35ec09 into 1f0699f - view on LGTM.com

new alerts:

  • 1 for Variable defined multiple times

fixed alerts:

  • 1 for Unused import

cmd = "mount -n -r -t ext4 {} {}".format(fs_path, fs_mountpoint)
subprocess.check_call(cmd, shell=True, universal_newlines=True)
cmd = ["mount", "-n", "-r", "-t", "ext4", fs_path, fs_mountpoint]
subprocess.check_call(cmd, universal_newlines=True)
Copy link
Collaborator

@stephenxs stephenxs Oct 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not able to mount fs without shell=True.
Looks like it doesn't have the privilege to access /dev/sda2/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you share the error log?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad. it doesn't relevant to the PR. it's because there is a \n at the end of /dev/sda2.
We will fix it on the platform API side.
Sorry for the inconvenient.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry. I realized the missing \n was still introduced by this PR. PR #12465 to fix it. can you please review it?
thanks.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

liat-grozovik pushed a commit that referenced this pull request Oct 23, 2022
This fixes the following error

```
admin@sonic:~$ sudo fwutil show status
mount: /mnt/onie-fs: special device /dev/sda2
 does not exist.
Error: Command '['mount', '-n', '-r', '-t', 'ext4', '/dev/sda2\n', '/mnt/onie-fs']' returned non-zero exit status 32.. Aborting...
Aborted!
admin@sonic:~$ sudo vi /usr/local/lib/python3.9/dist-packages/sonic_platform/

```
Seems like #11877 the rstrip('\n') was removed. Probably by mistake.

Signed-off-by: Stephen Sun <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants