From patchwork Mon Sep 20 21:39:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Weinberger X-Patchwork-Id: 12506467 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D85AFC433EF for ; Mon, 20 Sep 2021 21:51:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BB03B60F48 for ; Mon, 20 Sep 2021 21:51:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233368AbhITVwk (ORCPT ); Mon, 20 Sep 2021 17:52:40 -0400 Received: from lithops.sigma-star.at ([195.201.40.130]:35470 "EHLO lithops.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230240AbhITVuj (ORCPT ); Mon, 20 Sep 2021 17:50:39 -0400 X-Greylist: delayed 540 seconds by postgrey-1.27 at vger.kernel.org; Mon, 20 Sep 2021 17:50:39 EDT Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 8715D6169BCC; Mon, 20 Sep 2021 23:40:11 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id FrKaLuZiFFX7; Mon, 20 Sep 2021 23:40:10 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id A0D3E616E131; Mon, 20 Sep 2021 23:40:10 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id k65h5FpABQpK; Mon, 20 Sep 2021 23:40:10 +0200 (CEST) Received: from blindfold.corp.sigma-star.at (213-47-184-186.cable.dynamic.surfer.at [213.47.184.186]) by lithops.sigma-star.at (Postfix) with ESMTPSA id 0BBF86169BC6; Mon, 20 Sep 2021 23:40:09 +0200 (CEST) From: Richard Weinberger To: masahiroy@kernel.org Cc: linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, Richard Weinberger Subject: [PATCH 2/2] kconfig: Deny command substitution in string values Date: Mon, 20 Sep 2021 23:39:57 +0200 Message-Id: <20210920213957.1064-2-richard@nod.at> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210920213957.1064-1-richard@nod.at> References: <20210920213957.1064-1-richard@nod.at> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kbuild@vger.kernel.org The post processed .config file will get included in shell and makefiles. So make sure that a string does not contain symbols that allow command substitution. If such a malformed string is found, return empty string and report it. Signed-off-by: Richard Weinberger --- scripts/kconfig/symbol.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/kconfig/symbol.c b/scripts/kconfig/symbol.c index 4a31bb943f79..1035ecdddc99 100644 --- a/scripts/kconfig/symbol.c +++ b/scripts/kconfig/symbol.c @@ -880,6 +880,11 @@ const char *sym_escape_string(struct symbol *sym) in = sym_get_string_value(sym); + if (strspn(in, "`$")) { + fprintf(stderr, "%s: invalid characters in string found\n", sym->name); + return xstrdup("\"\""); + } + reslen = strlen(in) + strlen("\"\"") + 1; p = in;