-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[device/mellanox] Mitigation for security vulnerability #11877
Conversation
Signed-off-by: maipbui <[email protected]>
Signed-off-by: maipbui <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Please wait more reviewers to verify and approve.
I see that this change was done only for 2700, we do not want to backport this? |
@Yarden-Z, Qi added backport. can you check you can review and approve? |
Seems as though it is referenced to 2700 in other platforms. |
Signed-off-by: maipbui <[email protected]>
Signed-off-by: maipbui <[email protected]>
Signed-off-by: maipbui <[email protected]>
Signed-off-by: maipbui <[email protected]>
This pull request fixes 1 alert when merging bd9cf87 into a1b50ca - view on LGTM.com fixed alerts:
|
Signed-off-by: maipbui <[email protected]>
This pull request fixes 1 alert when merging 20e2cd7 into a1b50ca - view on LGTM.com fixed alerts:
|
fs_path = p3.communicate()[0].rstrip('\n') | ||
p1.wait() | ||
p2.wait() | ||
if p1.returncode != 0 and p2.returncode != 0 and p3.returncode != 0: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd1 = ['fdisk', '-l'] | ||
cmd2 = ['grep', 'ONIE boot'] | ||
cmd3 = ['awk', '{print $1}'] | ||
with subprocess.Popen(cmd1, universal_newlines=True, stdout=subprocess.PIPE) as p1: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: maipbui <[email protected]>
This pull request introduces 1 alert and fixes 1 when merging a16ed29 into 1effff9 - view on LGTM.com new alerts:
fixed alerts:
|
@Yarden-Z I made some changes, could you help review? |
/azp run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
Went over the new commit, did not find anything new to comment on. |
This pull request introduces 1 alert and fixes 1 when merging ba3c5de into 2f46689 - view on LGTM.com new alerts:
fixed alerts:
|
Signed-off-by: maipbui <[email protected]>
This pull request introduces 1 alert and fixes 1 when merging 1e62cff into 1f0699f - view on LGTM.com new alerts:
fixed alerts:
|
Signed-off-by: maipbui <[email protected]>
This pull request introduces 1 alert and fixes 1 when merging c35ec09 into 1f0699f - view on LGTM.com new alerts:
fixed alerts:
|
cmd = "mount -n -r -t ext4 {} {}".format(fs_path, fs_mountpoint) | ||
subprocess.check_call(cmd, shell=True, universal_newlines=True) | ||
cmd = ["mount", "-n", "-r", "-t", "ext4", fs_path, fs_mountpoint] | ||
subprocess.check_call(cmd, universal_newlines=True) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not able to mount fs without shell=True
.
Looks like it doesn't have the privilege to access /dev/sda2/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you share the error log?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad. it doesn't relevant to the PR. it's because there is a \n
at the end of /dev/sda2
.
We will fix it on the platform API side.
Sorry for the inconvenient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry. I realized the missing \n
was still introduced by this PR. PR #12465 to fix it. can you please review it?
thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fix!
This fixes the following error ``` admin@sonic:~$ sudo fwutil show status mount: /mnt/onie-fs: special device /dev/sda2 does not exist. Error: Command '['mount', '-n', '-r', '-t', 'ext4', '/dev/sda2\n', '/mnt/onie-fs']' returned non-zero exit status 32.. Aborting... Aborted! admin@sonic:~$ sudo vi /usr/local/lib/python3.9/dist-packages/sonic_platform/ ``` Seems like #11877 the rstrip('\n') was removed. Probably by mistake. Signed-off-by: Stephen Sun <[email protected]>
Related work items: sonic-net#2151, sonic-net#2194, sonic-net#2224, sonic-net#2237, sonic-net#2264, sonic-net#2281, sonic-net#2286, sonic-net#2297, sonic-net#2299, sonic-net#2305, sonic-net#2325, sonic-net#2335, sonic-net#2338, sonic-net#2341, sonic-net#2343, sonic-net#2347, sonic-net#2350, sonic-net#2355, sonic-net#2356, sonic-net#2358, sonic-net#2360, sonic-net#2363, sonic-net#2367, sonic-net#2368, sonic-net#2370, sonic-net#2374, sonic-net#2392, sonic-net#2398, sonic-net#2408, sonic-net#2414, sonic-net#2415, sonic-net#2419, sonic-net#2421, sonic-net#2422, sonic-net#2423, sonic-net#2426, sonic-net#2427, sonic-net#2430, sonic-net#2431, sonic-net#2433, sonic-net#2434, sonic-net#2436, sonic-net#2437, sonic-net#2441, sonic-net#2444, sonic-net#2445, sonic-net#2446, sonic-net#2456, sonic-net#2458, sonic-net#2460, sonic-net#2461, sonic-net#2463, sonic-net#2472, sonic-net#2475, sonic-net#11877, sonic-net#12024, sonic-net#12065, sonic-net#12097, sonic-net#12130, sonic-net#12209, sonic-net#12217, sonic-net#12244, sonic-net#12251, sonic-net#12255, sonic-net#12276, sonic-net#12284
Signed-off-by: maipbui [email protected]
Dependency: PR (#12065) needs to merge first.
Why I did it
subprocess.Popen()
andsubprocess.check_output()
is used withshell=True
, which is very dangerous for shell injection.How I did it
Disable
shell=True
, enableshell=False
How to verify it
Tested on DUT, compare and verify the output between the original behavior and the new changes' behavior.
testresults.zip
Which release branch to backport (provide reason below if selected)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)