* [pve-devel] [PATCH qemu-server] anchor CPU flag regex to avoid arbitrary flag suffixes
@ 2021-01-18 13:07 Stefan Reiter
2021-01-26 18:27 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Stefan Reiter @ 2021-01-18 13:07 UTC (permalink / raw)
To: pve-devel
Previously one could specify a CPU flag like 'pcidfoobar' and it would
be accepted, even though we attempt to filter VM-only flags for
security. AFAICT none of the flags we allow can be turned into any
others just by appending text, but better safe than sorry.
Reported-by: Oguz Bektas <o.bektas@proxmox.com>
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
---
PVE/QemuServer/CPUConfig.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/PVE/QemuServer/CPUConfig.pm b/PVE/QemuServer/CPUConfig.pm
index 32192f2..b9981c8 100644
--- a/PVE/QemuServer/CPUConfig.pm
+++ b/PVE/QemuServer/CPUConfig.pm
@@ -214,7 +214,7 @@ sub validate_vm_cpu_conf {
# in a VM-specific config, certain properties are limited/forbidden
die "VM-specific CPU flags must be a subset of: @{[join(', ', @supported_cpu_flags)]}\n"
- if ($cpu->{flags} && $cpu->{flags} !~ m/$cpu_flag_supported_re(;$cpu_flag_supported_re)*/);
+ if ($cpu->{flags} && $cpu->{flags} !~ m/^$cpu_flag_supported_re(;$cpu_flag_supported_re)*$/);
die "Property 'reported-model' not allowed in VM-specific CPU config.\n"
if defined($cpu->{'reported-model'});
@@ -442,7 +442,7 @@ sub parse_cpuflag_list {
return $res if !$flaglist;
foreach my $flag (split(";", $flaglist)) {
- if ($flag =~ $re) {
+ if ($flag =~ m/^$re$/) {
$res->{$2} = { op => $1, reason => $reason };
}
}
--
2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH qemu-server] anchor CPU flag regex to avoid arbitrary flag suffixes
2021-01-18 13:07 [pve-devel] [PATCH qemu-server] anchor CPU flag regex to avoid arbitrary flag suffixes Stefan Reiter
@ 2021-01-26 18:27 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-01-26 18:27 UTC (permalink / raw)
To: Proxmox VE development discussion, Stefan Reiter
On 18.01.21 14:07, Stefan Reiter wrote:
> Previously one could specify a CPU flag like 'pcidfoobar' and it would
> be accepted, even though we attempt to filter VM-only flags for
> security. AFAICT none of the flags we allow can be turned into any
> others just by appending text, but better safe than sorry.
>
> Reported-by: Oguz Bektas <o.bektas@proxmox.com>
> Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
> ---
> PVE/QemuServer/CPUConfig.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>
applied, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-26 18:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-18 13:07 [pve-devel] [PATCH qemu-server] anchor CPU flag regex to avoid arbitrary flag suffixes Stefan Reiter
2021-01-26 18:27 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal