| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Sep 2021 23:39:57 +0200
From: Richard Weinberger <richard@....at>
To: masahiroy@...nel.org
Cc: linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org,
Richard Weinberger <richard@....at>
Subject: [PATCH 2/2] kconfig: Deny command substitution in string values
The post processed .config file will get included in shell
and makefiles. So make sure that a string does not contain
symbols that allow command substitution.
If such a malformed string is found, return empty string
and report it.
Signed-off-by: Richard Weinberger <richard@....at>
---
scripts/kconfig/symbol.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/scripts/kconfig/symbol.c b/scripts/kconfig/symbol.c
index 4a31bb943f79..1035ecdddc99 100644
--- a/scripts/kconfig/symbol.c
+++ b/scripts/kconfig/symbol.c
@@ -880,6 +880,11 @@ const char *sym_escape_string(struct symbol *sym)
in = sym_get_string_value(sym);
+ if (strspn(in, "`$")) {
+ fprintf(stderr, "%s: invalid characters in string found\n", sym->name);
+ return xstrdup("\"\"");
+ }
+
reslen = strlen(in) + strlen("\"\"") + 1;
p = in;
--
2.26.2
Powered by blists - more mailing lists