From patchwork Mon May 29 17:54:23 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Erik Karlsson <erik.r.karlsson@gmail.com>
X-Patchwork-Id: 1787210
X-Patchwork-Delegate: hauke@hauke-m.de
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Tut6giHk;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20221208 header.b=as+yRc9x;
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4QVNZB4bsqz20PW
	for <incoming@patchwork.ozlabs.org>; Tue, 30 May 2023 03:58:56 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=g9Hoejrq85BNfExIdglF7mJuK7q8S8rbh/0vPUKUy/U=; b=Tut6giHkFriG0k
	cVA5A034NYCaul6LH9gXE4pa/gbN3VWHI08KCWzTeJzmzzJaKvYYmuG2bQ1T9aIxEM+1NMCpDvOWV
	JN0c9OqrnOaxaqqZAE/Imr+cCHK5rV/BUkEr48paczB5Y9HzzCgvIHVrk2N4U3h4I8iHfSKQK1Gnc
	lMB9YsbsRcB6ijbCpo+IiZNvTZ+MqAjZp2UM+2NDFavXXtTxETxaHdcoBSh6YrnqwRfGQiP1O4B5U
	kQ/EXRMAeQrbcdJq+w4FBsbCBzuGoKMad9sTCAMcKVLFgCKmvggMSxsYdWcz+PBdBSmFznthzLy88
	6WJVhjb65roLYL3x/nlg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux))
	id 1q3h68-00BLAp-0G;
	Mon, 29 May 2023 17:56:00 +0000
Received: from mail-lf1-x12b.google.com ([2a00:1450:4864:20::12b])
	by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux))
	id 1q3h62-00BL9T-38
	for openwrt-devel@lists.openwrt.org;
	Mon, 29 May 2023 17:55:56 +0000
Received: by mail-lf1-x12b.google.com with SMTP id
 2adb3069b0e04-4f4b80bf93aso3862218e87.0
        for <openwrt-devel@lists.openwrt.org>;
 Mon, 29 May 2023 10:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1685382952; x=1687974952;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=/mwMu37uVGj/rKG1slLE8anHb9dHKuR7UdrSQuoIuwo=;
        b=as+yRc9x9BKSXndgxTJW+llpe56s5zG8HYPFJh6Yzr3xQBNieEJMTNPsqY0MvrcMpN
         /VjBdYD0XbFgNkHcVF6YwzQ6U+By52GFZ6sqrnOPSEE+zfe/4lTNtWYzj/eN8csk4xKG
         9ruFexUjk2D3Zv3Hw8vwu6iC0iIx+o7VbcfrQ1IlNe2OTb8wE3JKSsWUVuoVEcSpDehG
         gGgaUVPTLf0JAjN8fkzEyePge4pggxLp/uvOeDCMFIV3m49WTSI6Ct+gYg9h591UtNG2
         LbWSrfk5mGW9sIEZ0RKBHxYfZnTViP+Hckn+ESs3aQd0uXlAQKzaSCo2ph2bSKGRxqTE
         DjXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685382952; x=1687974952;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=/mwMu37uVGj/rKG1slLE8anHb9dHKuR7UdrSQuoIuwo=;
        b=JmIzS1qMwRioakKOx75s54SZ6VY+BiNkrlCflvXvA4yIZ4BY7cchui+7QUzuJ/CDOJ
         s5aXzxAPyy6HistuJ8f8/DOvugZhDZKaOgF9pg4GS5Nj0zYV8GdsAFZjw0vUVu5ED2pd
         5Mhm9fEvsdnf2ljOzB733oiurd1fahltaFhJtH+mpC/Os7WidQ78CMkGz00GyYhN4Wpx
         ZRUI/p/CRzgETB1iuWUvVPrLc29gXd3Y0wyVZ6AXYRzr9+HfvphffeiLspo8/ebR+SsT
         2kDfd7Rrs0oFLf66Zk8qP310pN4hgECsXLuYgpCpsaYhjGJw62W2L+Ekk4w5X3ZmOZKN
         rlaQ==
X-Gm-Message-State: AC+VfDzQUFN6TCN8m70w2hcPixUptgaohsY26OfjBEcMJmhJ++WxUusZ
	NtTqjNAAK6hTbyMuxwzjlZ0xRE8HlDk=
X-Google-Smtp-Source: 
 ACHHUZ6H4YPK7D5seRMcEf6ZggbFLSeEL8RkTb0CFnzI/I6AT8zQOZ8MsnsXvDmO3HRhoCAAb7azeg==
X-Received: by 2002:a19:5213:0:b0:4f1:1ec4:109b with SMTP id
 m19-20020a195213000000b004f11ec4109bmr3483747lfb.15.1685382951587;
        Mon, 29 May 2023 10:55:51 -0700 (PDT)
Received: from se-pc-erik.lan (h-217-27-188-82.NA.cust.bahnhof.se.
 [217.27.188.82])
        by smtp.gmail.com with ESMTPSA id
 w16-20020ac24430000000b004eff6c7bc08sm69100lfl.75.2023.05.29.10.55.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 29 May 2023 10:55:51 -0700 (PDT)
From: erik.r.karlsson@gmail.com
To: Jo-Philipp Wich <jo@mein.io>
Cc: openwrt-devel@lists.openwrt.org,
	Erik Karlsson <erik.karlsson@genexis.eu>
Subject: [PATCH] file: strengthen exec access control
Date: Mon, 29 May 2023 19:54:23 +0200
Message-Id: <20230529175423.4046928-1-erik.r.karlsson@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20230529_105555_012650_7CBF5223 
X-CRM114-Status: GOOD (  12.67  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Erik Karlsson Do not allow setting environment
 variables
    if there is a session as there is no access control for environment
 variables
    and allowing arbitrary data into the environment is unsafe. Do not leak
 argumen
    [...]
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [2a00:1450:4864:20:0:0:0:12b listed in]
                             [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider
                             [erik.r.karlsson[at]gmail.com]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
                             valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

From: Erik Karlsson <erik.karlsson@genexis.eu>

Do not allow setting environment variables if there is a session as
there is no access control for environment variables and allowing
arbitrary data into the environment is unsafe. Do not leak arguments
through unchecked if the size of the buffer for access checking the
whole command line is exceeded. Adjust the maximum number of allowed
arguments so it matches the actual implementation.

Signed-off-by: Erik Karlsson <erik.karlsson@genexis.eu>
---
 file.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/file.c b/file.c
index 07b4d3c..1e5b2f4 100644
--- a/file.c
+++ b/file.c
@@ -809,6 +809,9 @@ rpc_file_exec_run(const char *cmd, const struct blob_attr *sid,
 
 	struct rpc_file_exec_context *c;
 
+	if (sid && env)
+		return UBUS_STATUS_PERMISSION_DENIED;
+
 	cmd = rpc_file_exec_lookup(cmd);
 
 	if (!cmd)
@@ -824,7 +827,7 @@ rpc_file_exec_run(const char *cmd, const struct blob_attr *sid,
 		if (arg == NULL || strlen(executable) >= sizeof(cmdstr))
 			return UBUS_STATUS_PERMISSION_DENIED;
 
-		arglen = 0;
+		arglen = 2;
 		p = cmdstr + sprintf(cmdstr, "%s", executable);
 
 		blobmsg_for_each_attr(cur, arg, rem)
@@ -834,7 +837,7 @@ rpc_file_exec_run(const char *cmd, const struct blob_attr *sid,
 
 			if (arglen == 255 ||
 			    p + blobmsg_data_len(cur) >= cmdstr + sizeof(cmdstr))
-				break;
+				return UBUS_STATUS_PERMISSION_DENIED;
 
 			p += sprintf(p, " %s", blobmsg_get_string(cur));
 			arglen++;