From 60c6826aa5f5e7e9598c2d5cb97663b0fabc5f49 Mon Sep 17 00:00:00 2001 From: Vchanger Date: Fri, 8 Mar 2024 16:20:28 +0800 Subject: [PATCH] fix command injection in ioprobe (cherry picked from commit 7389bb2057607dede5f0c9ba397add9a5c162850) --- gala-gopher.spec | 6 +- ioprobe-fix-command-injection.patch | 93 +++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 ioprobe-fix-command-injection.patch diff --git a/gala-gopher.spec b/gala-gopher.spec index 7f9d753..a26e48d 100644 --- a/gala-gopher.spec +++ b/gala-gopher.spec @@ -6,7 +6,7 @@ Summary: Intelligent ops toolkit for openEuler Name: gala-gopher Version: 1.0.2 -Release: 3 +Release: 4 License: Mulan PSL v2 URL: https://gitee.com/openeuler/gala-gopher Source: %{name}-%{version}.tar.gz @@ -41,6 +41,7 @@ Patch18: fix-fix-install-error.patch Patch19: bugfix-zombie-task.patch Patch20: fix-add-default-data-of-event-conf.patch Patch21: fix-access-violation.patch +Patch22: ioprobe-fix-command-injection.patch %description gala-gopher is a low-overhead eBPF-based probes framework @@ -100,6 +101,9 @@ fi /usr/lib/systemd/system/gala-gopher.service %changelog +* Fri Mar 8 2024 Zhen Chen - 1.0.2-4 +- fix command injection in ioprobe + * Fri Jun 9 2023 Tangxin Xie - 1.0.2-3 - fix httpprobe find libssl path Fix segmentation fault of gala-gopher cmd diff --git a/ioprobe-fix-command-injection.patch b/ioprobe-fix-command-injection.patch new file mode 100644 index 0000000..fb67da0 --- /dev/null +++ b/ioprobe-fix-command-injection.patch @@ -0,0 +1,93 @@ +From e37d4df29ff7191bff516f30a0640ed1a0791264 Mon Sep 17 00:00:00 2001 +From: Vchanger +Date: Mon, 4 Mar 2024 20:22:55 +0800 +Subject: [PATCH] ioprobe: fix command injection + +--- + src/common/common.h | 1 + + src/common/util.c | 24 +++++++++++++++++++ + .../extends/ebpf.probe/src/ioprobe/ioprobe.c | 8 ++++++- + 3 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/src/common/common.h b/src/common/common.h +index e7a8dee..5965444 100644 +--- a/src/common/common.h ++++ b/src/common/common.h +@@ -196,5 +196,6 @@ int __snprintf(char **buf, const int bufLen, int *remainLen, const char *format, + char is_digit_str(const char *s); + int get_system_uuid(char *buffer, unsigned int size); + int copy_file(const char *dst_file, const char *src_file); ++int check_path_for_security(const char *path); + + #endif +diff --git a/src/common/util.c b/src/common/util.c +index 98d5b12..9f7c861 100644 +--- a/src/common/util.c ++++ b/src/common/util.c +@@ -22,6 +22,9 @@ + #include + #include "common.h" + ++const char* command_injection_characters[] = {"|", ";", "&", "$", ">", "<", "(", ")", "./", "/.", "?", "*", ++ "\'", "`", "[", "]", "\\", "!", "\n"}; ++ + char *get_cur_date(void) + { + /* return date str, ex: 2021/05/17 */ +@@ -240,5 +243,26 @@ int copy_file(const char *dst_file, const char *src_file) { + free(buffer); + fclose(fp1); + fclose(fp2); ++ return 0; ++} ++ ++/* ++ * Check the path to avoid command injection ++ * @path: path executed as command ++ */ ++int check_path_for_security(const char *path) ++{ ++ if (path == NULL || strlen(path) == 0) { ++ return 0; ++ } ++ ++ int command_injection_characters_len = sizeof(command_injection_characters) / sizeof(command_injection_characters[0]); ++ ++ for (int i = 0; i < command_injection_characters_len; ++i) { ++ if (strstr(path, command_injection_characters[i])) { ++ return 1; ++ } ++ } ++ + return 0; + } +\ No newline at end of file +diff --git a/src/probes/extends/ebpf.probe/src/ioprobe/ioprobe.c b/src/probes/extends/ebpf.probe/src/ioprobe/ioprobe.c +index af7b1ea..dc809dd 100644 +--- a/src/probes/extends/ebpf.probe/src/ioprobe/ioprobe.c ++++ b/src/probes/extends/ebpf.probe/src/ioprobe/ioprobe.c +@@ -108,7 +108,7 @@ static char* __get_first_letter_pos(char *buf) + pos++; + p = buf + pos; + } +- ++ + if (pos >= len) { + return NULL; + } +@@ -166,6 +166,12 @@ static int get_devt(char *dev_name, int *major, int *minor) + + sys_file[0] = 0; + (void)snprintf(sys_file, PATH_LEN, "/sys/block/%s/dev", dev_name); ++ ++ if (check_path_for_security(sys_file)) { ++ fprintf(stderr, "invalid dev name\n", dev_name); ++ return -1; ++ } ++ + if (access(sys_file, 0)) { + sys_file[0] = 0; + (void)snprintf(sys_file, PATH_LEN, "/sys/block/*/%s/../dev", dev_name); +-- +2.33.0 + -- Gitee