| Message ID | 20231106150508.22665-3-alejandro.vallejo@cloud.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Pygrub security enhancements and bugfixes | expand |
On 06/11/2023 3:05 pm, Alejandro Vallejo wrote: > The env variable must be interpreted as an integer. As it is, the override > logic simply causes an exception. Fixes: e0342ae5556f ("tools/pygrub: Deprivilege pygrub") > Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> > --- > tools/pygrub/src/pygrub | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub > index 08540ad288..327cf51774 100755 > --- a/tools/pygrub/src/pygrub > +++ b/tools/pygrub/src/pygrub > @@ -89,7 +89,7 @@ def downgrade_rlimits(): > # write permissions are bound. > fsize = LIMIT_FSIZE > if "PYGRUB_MAX_FILE_SIZE_MB" in os.environ.keys(): > - fsize = os.environ["PYGRUB_MAX_FILE_SIZE_MB"] << 20 > + fsize = int(os.environ["PYGRUB_MAX_FILE_SIZE_MB"]) << 20 > > resource.setrlimit(resource.RLIMIT_FSIZE, (fsize, fsize)) > This change on its own is correct, so Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> However, there's a bug/misfeature which you've copied in patch 3, so I've inserted a patch 2.5 to try and fix it in a nice order. It's probably a little rude to merge the pythonic-fix into this functional fix. ~Andrew
diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub index 08540ad288..327cf51774 100755 --- a/tools/pygrub/src/pygrub +++ b/tools/pygrub/src/pygrub @@ -89,7 +89,7 @@ def downgrade_rlimits(): # write permissions are bound. fsize = LIMIT_FSIZE if "PYGRUB_MAX_FILE_SIZE_MB" in os.environ.keys(): - fsize = os.environ["PYGRUB_MAX_FILE_SIZE_MB"] << 20 + fsize = int(os.environ["PYGRUB_MAX_FILE_SIZE_MB"]) << 20 resource.setrlimit(resource.RLIMIT_FSIZE, (fsize, fsize))
The env variable must be interpreted as an integer. As it is, the override logic simply causes an exception. Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com> --- tools/pygrub/src/pygrub | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)