config: Protect ctlpath from annotation attack

This also adds annotation for ctlpath which were not present before. It's better to implement the code consistenly right now to make sure that we don't end up with a leaky implementation tacked on later. Fixes: #901 Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2025-12-19 15:24:26 +01:00 · 2020-05-15 18:10:53 +02:00
parent 27b6620b23
commit b21a829c61
7 changed files with 43 additions and 20 deletions
--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@@ -725,26 +725,27 @@ func newAcrnHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 	}

 	return vc.HypervisorConfig{
-		HypervisorPath:       hypervisor,
-		HypervisorPathList:   h.HypervisorPathList,
-		KernelPath:           kernel,
-		ImagePath:            image,
-		HypervisorCtlPath:    hypervisorctl,
-		FirmwarePath:         firmware,
-		KernelParams:         vc.DeserializeParams(strings.Fields(kernelParams)),
-		NumVCPUs:             h.defaultVCPUs(),
-		DefaultMaxVCPUs:      h.defaultMaxVCPUs(),
-		MemorySize:           h.defaultMemSz(),
-		MemSlots:             h.defaultMemSlots(),
-		EntropySource:        h.GetEntropySource(),
-		DefaultBridges:       h.defaultBridges(),
-		HugePages:            h.HugePages,
-		Mlock:                !h.Swap,
-		Debug:                h.Debug,
-		DisableNestingChecks: h.DisableNestingChecks,
-		BlockDeviceDriver:    blockDriver,
-		DisableVhostNet:      h.DisableVhostNet,
-		GuestHookPath:        h.guestHookPath(),
+		HypervisorPath:        hypervisor,
+		HypervisorPathList:    h.HypervisorPathList,
+		KernelPath:            kernel,
+		ImagePath:             image,
+		HypervisorCtlPath:     hypervisorctl,
+		HypervisorCtlPathList: h.CtlPathList,
+		FirmwarePath:          firmware,
+		KernelParams:          vc.DeserializeParams(strings.Fields(kernelParams)),
+		NumVCPUs:              h.defaultVCPUs(),
+		DefaultMaxVCPUs:       h.defaultMaxVCPUs(),
+		MemorySize:            h.defaultMemSz(),
+		MemSlots:              h.defaultMemSlots(),
+		EntropySource:         h.GetEntropySource(),
+		DefaultBridges:        h.defaultBridges(),
+		HugePages:             h.HugePages,
+		Mlock:                 !h.Swap,
+		Debug:                 h.Debug,
+		DisableNestingChecks:  h.DisableNestingChecks,
+		BlockDeviceDriver:     blockDriver,
+		DisableVhostNet:       h.DisableVhostNet,
+		GuestHookPath:         h.guestHookPath(),
 	}, nil
 }