Re: [PATCH 1/2] Verify commands executed by grub

Vladimir 'phcoder' Serbinenko Fri, 21 Jul 2017 07:40:42 -0700

On Wed, Jul 5, 2017, 23:26 Matthew Garrett <mj...@google.com> wrote:

> Pass commands to the verification code. We want to be able to log these
> in the TPM verification case.
> ---
>  grub-core/script/execute.c | 27 ++++++++++++++++++++++++---
>  include/grub/verify.h      |  1 +
>  2 files changed, 25 insertions(+), 3 deletions(-)
>
> diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
> index a8502d907..ee299fd0e 100644
> --- a/grub-core/script/execute.c
> +++ b/grub-core/script/execute.c
> @@ -27,6 +27,7 @@
>  #include <grub/normal.h>
>  #include <grub/extcmd.h>
>  #include <grub/i18n.h>
> +#include <grub/verify.h>
>
>  /* Max digits for a char is 3 (0xFF is 255), similarly for an int it
>     is sizeof (int) * 3, and one extra for a possible -ve sign.  */
> @@ -929,8 +930,9 @@ grub_script_execute_cmdline (struct grub_script_cmd
> *cmd)
>    grub_err_t ret = 0;
>    grub_script_function_t func = 0;
>    char errnobuf[18];
> -  char *cmdname;
> -  int argc;
> +  char *cmdname, *cmdstring;
> +  int argc, offset = 0, cmdlen = 0;
> +  unsigned int i;
>    char **args;
>    int invert;
>    struct grub_script_argv argv = { 0, 0, 0 };
> @@ -939,6 +941,26 @@ grub_script_execute_cmdline (struct grub_script_cmd
> *cmd)
>    if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || !
> argv.args[0])
>      return grub_errno;
>
> +  for (i = 0; i < argv.argc; i++)
> +    {
> +      cmdlen += grub_strlen (argv.args[i]) + 1;
> +    }
> +
> +  cmdstring = grub_malloc (cmdlen);
> +  if (!cmdstring)
> +    {
> +      return grub_error (GRUB_ERR_OUT_OF_MEMORY,
> +                        N_("cannot allocate command buffer"));
> +    }
> +
> +  for (i = 0; i < argv.argc; i++)
> +    {
> +      offset += grub_snprintf (cmdstring + offset, cmdlen - offset, "%s ",
> +                              argv.args[i]);
> +    }
>
This omits all separators. So it considers e.g. ab and a b to be the same.
Can we have a better array serialization? I.a. following 3 need to be
distinguished:
ab
a b
"a b"


> +  cmdstring[cmdlen - 1] = '\0';
> +  grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
> +  grub_free (cmdstring);
>    invert = 0;
>    argc = argv.argc - 1;
>    args = argv.args + 1;
> @@ -1163,4 +1185,3 @@ grub_script_execute (struct grub_script *script)
>
>    return grub_script_execute_cmd (script->cmd);
>  }
> -
> diff --git a/include/grub/verify.h b/include/grub/verify.h
> index acab4f437..517d386d0 100644
> --- a/include/grub/verify.h
> +++ b/include/grub/verify.h
> @@ -11,6 +11,7 @@ enum grub_verify_string_type
>    {
>      GRUB_VERIFY_KERNEL_CMDLINE,
>      GRUB_VERIFY_MODULE_CMDLINE,
> +    GRUB_VERIFY_COMMAND,
>    };
>
>  struct grub_file_verifier
> --
> 2.13.2.725.g09c95d1e9-goog
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH 1/2] Verify commands executed by grub

Reply via email to