From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2BB8960AF1 for ; Fri, 9 Oct 2020 17:27:18 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 18DF717883 for ; Fri, 9 Oct 2020 17:26:48 +0200 (CEST) Received: from pmg.fws.fr (pmg.fws.fr [51.91.175.36]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id C538117877 for ; Fri, 9 Oct 2020 17:26:45 +0200 (CEST) Received: from pmg.fws.fr (localhost [127.0.0.1]) by pmg.fws.fr (Proxmox) with ESMTP id 9E928C24EE for ; Fri, 9 Oct 2020 17:26:39 +0200 (CEST) Received: from zmproxy.fws.fr (zmproxy.fws.fr [10.29.1.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pmg.fws.fr (Proxmox) with ESMTPS id 5A539C0615 for ; Fri, 9 Oct 2020 17:26:38 +0200 (CEST) Received: from zmproxy.fws.fr (localhost [127.0.0.1]) by zmproxy.fws.fr (Postfix) with ESMTPS id 4D4228B79BF; Fri, 9 Oct 2020 17:26:38 +0200 (CEST) Received: from zmproxy.fws.fr (localhost [127.0.0.1]) by zmproxy.fws.fr (Postfix) with ESMTPS id 34F168B79C0; Fri, 9 Oct 2020 17:26:38 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.10.3 zmproxy.fws.fr 34F168B79C0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=firewall-services.com; s=7DAD15A2-D84A-11E9-8F77-BEC4FAA34EBC; t=1602257198; bh=hJLmwF6G4kOhufzd4Rt3WPHhcSn4XKs1Qb1A0kl5r5Q=; h=Date:From:To:Message-ID:MIME-Version; b=Q+tVEtjRSV8jYO1WOLeabW2+qj0/q+iMxY5m5s+Y7rwtnoFolafR+cAT1Hkf3Q04e Edt2tMMUV+I7v4BCA0omAzaGD/JGWrpXyqDsYvjOWkKCXNdtQ3KLCepi2ercc1wpIg jTKsVbUSamfOP8f8/lvJ3sZKMeA/Q5QdR5CisatYaJoNBFUr51OIv4cQF702JhpM2F 8Nz6ZRnECWKN0KpX+fiTGJc2LYzllgP95/hd2TTFRd0pPMH6CG1xUwnQ5ciz8gUgNy cXtWea/6V8ys1TIBktqYdSacCFurfUjqI5jereIRdL1ESqt1K0UEFAYNLiY88uCopj EbKJZkFX/+6pw== Received: from zmstore.fws.fr (zmstore.fws.fr [10.29.3.15]) by zmproxy.fws.fr (Postfix) with ESMTP id 2FDA08B79BF for ; Fri, 9 Oct 2020 17:26:38 +0200 (CEST) Date: Fri, 9 Oct 2020 17:26:38 +0200 (CEST) From: Daniel Berteaud To: Proxmox VE development discussion Message-ID: <1663712196.220058.1602257198078.JavaMail.zimbra@fws.fr> In-Reply-To: <20201009151344.8999-1-s.ivanov@proxmox.com> References: <20201009151344.8999-1-s.ivanov@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.29.1.17] X-Mailer: Zimbra 8.8.15_GA_3963 (ZimbraWebClient - GC85 (Linux)/8.8.15_GA_3963) Thread-Topic: ZFSPlugin: untaint lun number Thread-Index: 2GIizgU0wYAeg5ieH1mYM4cI56U/dA== X-SPAM-LEVEL: Spam detection results: 0 AWL 0.015 Adjusted score from AWL reputation of From: address DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, zfsplugin.pm, firewall-services.com, fws.fr] Subject: Re: [pve-devel] [PATCH storage] ZFSPlugin: untaint lun number X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2020 15:27:18 -0000 ----- Le 9 Oct 20, =C3=A0 17:13, Stoiko Ivanov s.ivanov@proxmox.com a =C3= =A9crit : > ZFS over iSCSI fetches information about the disk-images via ssh, thus > the obtainted data is tainted (perlsec (1)). >=20 > Since pvedaemon runs with '-T' enabled trying to start a VM via GUI/API f= ailed, > while it still worked via `qm` or `pvesh`. >=20 > The issue surfaced after commit cb9db10c1a9855cf40ff13e81f9dd97d6a9b2698 = in > pve-common ('run_command: improve performance for logging and long lines'= ), > and results from concatenating the original (tainted) buffer to a variabl= e, > instead of a captured subgroup. >=20 > Untainting the value in ZFSPlugin should not cause any regressiosn, since= the > other 3 target providers already have a match on '\d+' for retrieving the > lun number. >=20 > reported via pve-user [0]. >=20 > reproduced and tested by setting up a LIO-target (on top of a virtual PVE= ), > adding it as storage and trying to start a guest (with a disk on the > ZFS over iSCSI storage) with `perl -T /usr/sbin/qm start $vmid` >=20 > [0] https://lists.proxmox.com/pipermail/pve-user/2020-October/172055.html >=20 > Signed-off-by: Stoiko Ivanov > --- > PVE/Storage/ZFSPlugin.pm | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) >=20 > diff --git a/PVE/Storage/ZFSPlugin.pm b/PVE/Storage/ZFSPlugin.pm > index 383f0a0..63b9551 100644 > --- a/PVE/Storage/ZFSPlugin.pm > +++ b/PVE/Storage/ZFSPlugin.pm > @@ -159,7 +159,11 @@ sub zfs_get_lun_number { >=20 > die "could not find lun_number for guid $guid" if !$guid; >=20 > - return $class->zfs_request($scfg, undef, 'list_view', $guid); > + if ($class->zfs_request($scfg, undef, 'list_view', $guid) =3D~ /^(\d= +)$/) { > +=09return $1; > + } > + > + die "lun_number for guid $guid is not a number"; > } Will give this a try ASAP ! Thanks --=20 [ https://www.firewall-services.com/ ] =09 Daniel Berteaud=20 FIREWALL-SERVICES SAS, La s=C3=A9curit=C3=A9 des r=C3=A9seaux=20 Soci=C3=A9t=C3=A9 de Services en Logiciels Libres=20 T=C3=A9l : +33.5 56 64 15 32=20 Matrix: @dani:fws.fr=20 [ https://www.firewall-services.com/ | https://www.firewall-services.com ]