RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1989551 - Handling spaces in the parsing of /proc/cmdline
Summary: Handling spaces in the parsing of /proc/cmdline
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: rust-coreos-installer
Version: 9.2
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: 9.4
Assignee: Timothée Ravier
QA Contact: RHCOS SST QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-03 12:56 UTC by Cedric Buissart
Modified: 2023-08-30 14:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-08 07:28:34 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github coreos coreos-installer pull 1194 0 None open systemd/coreos-installer-generator: Properly read cmdline 2023-05-25 15:26:13 UTC
Github coreos coreos-installer pull 999 0 None open *: ShellCheck fixes 2023-02-08 14:52:38 UTC
Red Hat Issue Tracker RHELPLAN-92062 0 None None None 2021-08-03 12:58:57 UTC

Description Cedric Buissart 2021-08-03 12:56:39 UTC 
Covscan spotted the following :

```
Error: SHELLCHECK_WARNING (CWE-569): [#def1]
/usr/lib/dracut/modules.d/50rdcore/coreos-installer-generator:23:11:
warning[SC2207]: Prefer mapfile or read -a to split command output (or
quote to avoid splitting).
#   21|   }
#   22|
#   23|-> cmdline=( $(</proc/cmdline) )
#   24|   karg() {
#   25|       local name="$1" value="$2"
```

=> This looks like very minor, but valid problem.

Linux boot parameters support spaces, which are protected by using quotes in the output. In theory, if an attacker can inject specially crafted value within a another parameter printed before the key being searched, they could control parameters such as `coreos.inst.ignition_url`, or `firstboot_args`, and thus control the installation

In practice, I am not sure it is worth really considering this as a security vulnerability because of the unlikelyhood of the vector (inject specially crafted values in a boot parameter does not feel like something easy)

Regardless : it might be worth improving this, as it may also lead to bugs if any of coreos-installer boot param contains a space.

ShellCheck's tip : https://github.com/koalaman/shellcheck/wiki/SC2207
Comment 1 Cedric Buissart 2021-08-03 13:00:36 UTC 
Similar issue may happen when building environment variables from outputs of udevadm & lsblk :

Error: SHELLCHECK_WARNING (CWE-88): [#def11]
/usr/lib/dracut/modules.d/50rdcore/growfs:51:18: warning[SC2046]: Quote this to prevent word splitting.
#   49|       case "${TYPE}" in
#   50|           part)
#   51|->             eval $(udevadm info --query property --export "${current_blkdev}" | grep ^DM_ || :)
#   52|               if [ -n "${DM_MPATH:-}" ]; then
#   53|                   # Since growpart does not understand device mapper, we have to use sfdisk.

Error: SHELLCHECK_WARNING (CWE-88): [#def12]
/usr/lib/dracut/modules.d/50rdcore/growfs:65:19: warning[SC2046]: Quote this to prevent word splitting.
#   63|               # XXX: yuck... we need to expose this sanely in clevis
#   64|               (. /usr/bin/clevis-luks-common-functions
#   65|->              eval $(udevadm info --query=property --export "${NAME}")
#   66|                # lsblk doesn't print PKNAME of crypt devices with --nodeps
#   67|                PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")


For example, it is to be noted that udevadm's output is protected by quotes, so it really may contain spaces.

ShellCheck's tip : https://github.com/koalaman/shellcheck/wiki/SC2046
Comment 3 RHEL Program Management 2023-02-03 07:27:48 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 4 Timothée Ravier 2023-02-08 14:52:38 UTC 
Moving to RHEL 9 as we'll likely fix it there via: https://github.com/coreos/coreos-installer/pull/999
Comment 6 Benjamin Gilbert 2023-03-23 18:00:48 UTC 
There are two copies of coreos-installer-generator.  It's not clear which one this bug originally referred to, but both should be fixed.  The one in coreos-installer-dracut has now been fixed, but the one in coreos-installer was not actually fixed by https://github.com/coreos/coreos-installer/pull/999.
Comment 9 RHEL Program Management 2023-08-08 07:28:34 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 10 Timothée Ravier 2023-08-30 14:37:32 UTC 
This has been fixed in the 0.17.0 release which landed in CentOS Stream 9 approximately 5 months ago.
Comment 11 Timothée Ravier 2023-08-30 14:39:52 UTC 
Whoops, the second fix from https://github.com/coreos/coreos-installer/pull/1194 is not in a release yet. Re-opening.
Note You need to log in before you can comment on or make changes to this bug.