Re: [PATCH v2] kbuild: Don't source kernel config

From: Masahiro Yamada
Date: Tue Feb 20 2018 - 11:31:01 EST


2018-02-21 1:16 GMT+09:00 Richard Weinberger <richard@xxxxxx>:
> Am Dienstag, 20. Februar 2018, 17:00:39 CET schrieb Masahiro Yamada:
>> 2018-02-21 0:25 GMT+09:00 Richard Weinberger <richard@xxxxxx>:
>> > Am Dienstag, 20. Februar 2018, 16:18:11 CET schrieb Masahiro Yamada:
>> >> 2018-02-19 18:22 GMT+09:00 Richard Weinberger <richard@xxxxxx>:
>> >> > Don't source the kernel config file in shell scripts.
>> >> > The config file is not a shell script and often imported from untrusted
>> >> > sources.
>> >> > What could possible go wrong? ;-)
>> >>
>> >> Please enumerate your real problems.
>> >
>> > Build a kernel where the .config contains something like:
>> > CONFIG_CMDLINE_BOOL=y
>> > CONFIG_CMDLINE="`echo hello > world`"
>>
>> Same for Makefile
>> if a string symbol is referenced from Makefile, like
>>
>> CONFIG_CROSS_COMPILE="$(shell echo hello > world)aarch64-linux-gnu-"
>
> Correct. But you forget that the .config file is often imported from untrusted
> sources. Like on LKML, "my kernel explodes, this is the .config".
> Jonny random Kernel developer then takes the .config and builds it...
>
>> > I'll send a v3 because I forgot to convert one function in the shell
>> > script to the new bash array. kbuild bot FTW. :-)
>>
>> You do not need to do so.
>
> Okay, let's wait until toxic .configs appear in the wild. ;-)
>
>> This patch is so ugly.
>>
>> Also, changed shell scripts have '#!/bin/sh' shebang,
>> but you are adding bash as a requirement.
>
> An alternate approach would be this:
> diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
> index 5c12dc91ef34..ff0a7c62344b 100644
> --- a/scripts/kconfig/confdata.c
> +++ b/scripts/kconfig/confdata.c
> @@ -161,6 +161,13 @@ static int conf_set_sym_val(struct symbol *sym, int def,
> int def_flags, char *p)
> case S_STRING:
> if (*p++ != '"')
> break;
> +
> + p2 = strpbrk(p, "`$");
> + if (p2 && !(p2[0] == '$' && p2[1] != '(')) {
> + conf_warning("string contains forbidden characters");
> + return 1;
> + }
> +
> for (p2 = p; (p2 = strpbrk(p2, "\"\\")); p2++) {
> if (*p2 == '"') {
> *p2 = 0;
>
> That way the conf tool will sanitize the .config before shell scripts will
> source it.


This approach seems better.




--
Best Regards
Masahiro Yamada