[device/mellanox] Mitigation for security vulnerability #11877
Conversation
Signed-off-by: maipbui <maibui@microsoft.com>
Signed-off-by: maipbui <maibui@microsoft.com>
qiluo-msft
requested review from
stephenxs,
dprital,
dgsudharsan and
liat-grozovik
|
I see that this change was done only for 2700, we do not want to backport this? |
qiluo-msft
added
Request for 201911 Branch 
Request for 202006 Branch
Request for 202012 Branch
Request for 202106 Branch
Request for 202111 Branch
@Yarden-Z, Qi added backport. can you check you can review and approve? |
Seems as though it is referenced to 2700 in other platforms. |
Signed-off-by: maipbui <maibui@microsoft.com>
Signed-off-by: maipbui <maibui@microsoft.com>
Signed-off-by: maipbui <maibui@microsoft.com>
Signed-off-by: maipbui <maibui@microsoft.com>
|
This pull request fixes 1 alert when merging bd9cf87 into a1b50ca - view on LGTM.com fixed alerts:
|
Signed-off-by: maipbui <maibui@microsoft.com>
|
This pull request fixes 1 alert when merging 20e2cd7 into a1b50ca - view on LGTM.com fixed alerts:
|
| fs_path = p3.communicate()[0].rstrip('\n') | ||
| p1.wait() | ||
| p2.wait() | ||
| if p1.returncode != 0 and p2.returncode != 0 and p3.returncode != 0: |
| cmd1 = ['fdisk', '-l'] | ||
| cmd2 = ['grep', 'ONIE boot'] | ||
| cmd3 = ['awk', '{print $1}'] | ||
| with subprocess.Popen(cmd1, universal_newlines=True, stdout=subprocess.PIPE) as p1: |
Signed-off-by: maipbui <maibui@microsoft.com>
|
This pull request introduces 1 alert and fixes 1 when merging a16ed29 into 1effff9 - view on LGTM.com new alerts:
fixed alerts:
|
|
@Yarden-Z I made some changes, could you help review? |
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Went over the new commit, did not find anything new to comment on. |
|
This pull request introduces 1 alert and fixes 1 when merging ba3c5de into 2f46689 - view on LGTM.com new alerts:
fixed alerts:
|
|
This pull request introduces 1 alert and fixes 1 when merging 1e62cff into 1f0699f - view on LGTM.com new alerts:
fixed alerts:
|
Signed-off-by: maipbui <maibui@microsoft.com>
|
This pull request introduces 1 alert and fixes 1 when merging c35ec09 into 1f0699f - view on LGTM.com new alerts:
fixed alerts:
|
qiluo-msft
removed
Request for 201911 Branch
Request for 202006 Branch
Request for 202012 Branch
Request for 202106 Branch
Request for 202111 Branch
| cmd = "mount -n -r -t ext4 {} {}".format(fs_path, fs_mountpoint) | ||
| subprocess.check_call(cmd, shell=True, universal_newlines=True) | ||
| cmd = ["mount", "-n", "-r", "-t", "ext4", fs_path, fs_mountpoint] | ||
| subprocess.check_call(cmd, universal_newlines=True) |
There was a problem hiding this comment.
It is not able to mount fs without shell=True.
Looks like it doesn't have the privilege to access /dev/sda2/
There was a problem hiding this comment.
could you share the error log?
There was a problem hiding this comment.
My bad. it doesn't relevant to the PR. it's because there is a \n at the end of /dev/sda2.
We will fix it on the platform API side.
Sorry for the inconvenient.
There was a problem hiding this comment.
Sorry. I realized the missing \n was still introduced by this PR. PR #12465 to fix it. can you please review it?
thanks.
There was a problem hiding this comment.
Thanks for the fix!
This fixes the following error ``` admin@sonic:~$ sudo fwutil show status mount: /mnt/onie-fs: special device /dev/sda2 does not exist. Error: Command '['mount', '-n', '-r', '-t', 'ext4', '/dev/sda2\n', '/mnt/onie-fs']' returned non-zero exit status 32.. Aborting... Aborted! admin@sonic:~$ sudo vi /usr/local/lib/python3.9/dist-packages/sonic_platform/ ``` Seems like #11877 the rstrip('\n') was removed. Probably by mistake. Signed-off-by: Stephen Sun <stephens@nvidia.com>
Related work items: sonic-net#2151, sonic-net#2194, sonic-net#2224, sonic-net#2237, sonic-net#2264, sonic-net#2281, sonic-net#2286, sonic-net#2297, sonic-net#2299, sonic-net#2305, sonic-net#2325, sonic-net#2335, sonic-net#2338, sonic-net#2341, sonic-net#2343, sonic-net#2347, sonic-net#2350, sonic-net#2355, sonic-net#2356, sonic-net#2358, sonic-net#2360, sonic-net#2363, sonic-net#2367, sonic-net#2368, sonic-net#2370, sonic-net#2374, sonic-net#2392, sonic-net#2398, sonic-net#2408, sonic-net#2414, sonic-net#2415, sonic-net#2419, sonic-net#2421, sonic-net#2422, sonic-net#2423, sonic-net#2426, sonic-net#2427, sonic-net#2430, sonic-net#2431, sonic-net#2433, sonic-net#2434, sonic-net#2436, sonic-net#2437, sonic-net#2441, sonic-net#2444, sonic-net#2445, sonic-net#2446, sonic-net#2456, sonic-net#2458, sonic-net#2460, sonic-net#2461, sonic-net#2463, sonic-net#2472, sonic-net#2475, sonic-net#11877, sonic-net#12024, sonic-net#12065, sonic-net#12097, sonic-net#12130, sonic-net#12209, sonic-net#12217, sonic-net#12244, sonic-net#12251, sonic-net#12255, sonic-net#12276, sonic-net#12284
Signed-off-by: maipbui maibui@microsoft.com
Dependency: PR (#12065) needs to merge first.
Why I did it
subprocess.Popen()andsubprocess.check_output()is used withshell=True, which is very dangerous for shell injection.How I did it
Disable
shell=True, enableshell=FalseHow to verify it
Tested on DUT, compare and verify the output between the original behavior and the new changes' behavior.
testresults.zip
Which release branch to backport (provide reason below if selected)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)