Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[device/marvell] Mitigation for security vulnerability #11876

Merged
merged 16 commits into from
Nov 30, 2022
Merged

[device/marvell] Mitigation for security vulnerability #11876

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
9a05f34
Mitigate security vulnerabilities in os and commands
maipbui Aug 29, 2022
a455cae
Fix lgtm
maipbui Aug 29, 2022
3702046
Fix lgtm
maipbui Aug 29, 2022
23f0174
Convert cmd string to cmd array
maipbui Aug 30, 2022
db35a2a
Add args
maipbui Aug 30, 2022
0296296
Write str to file not using subprocess
maipbui Aug 30, 2022
394afe0
Rewrite str to file
maipbui Aug 30, 2022
076bac8
Open file using with
maipbui Sep 1, 2022
9766191
Fix lgtm
maipbui Sep 1, 2022
4f8874e
Use with
maipbui Sep 1, 2022
ccc7e52
Add output processing
maipbui Sep 8, 2022
072d8e9
Use functions from sonic-py-common
maipbui Sep 13, 2022
dbd999a
Replace os.system and shell=True
maipbui Sep 16, 2022
e2aef69
replace getstatusoutput
maipbui Sep 16, 2022
fd912a9
Remove nokia folder-s
maipbui Sep 17, 2022
11cf6d9
change run to call
maipbui Oct 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 9 additions & 12 deletions device/marvell/arm64-marvell_db98cx8580_16cd-r0/plugins/sfputil.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,13 @@
try:
import os
import time
import sys
import re
import subprocess
from sonic_sfp.sfputilbase import SfpUtilBase
from sonic_py_common.general import getstatusoutput_noshell
except ImportError as e:
raise ImportError(str(e) + "- required module not found")

if sys.version_info[0] < 3:
import commands
else:
import subprocess as commands

smbus_present = 1

try:
Expand All @@ -31,9 +27,10 @@ class SfpUtil(SfpUtilBase):
_qsfp_ports = list(range(_port_start, ports_in_block + 1))

def __init__(self):
os.system("modprobe i2c-dev")
subprocess.run(["modprobe", "i2c-dev"])
if not os.path.exists("/sys/bus/i2c/devices/0-0050"):
os.system("echo optoe2 0x50 > /sys/bus/i2c/devices/i2c-0/new_device")
with open("/sys/bus/i2c/devices/i2c-0/new_device", 'w') as file:
file.write("optoe2 0x50")

eeprom_path = '/sys/bus/i2c/devices/0-0050/eeprom'
# for x in range(self.port _start, self.port_end +1):
Expand Down Expand Up @@ -74,8 +71,8 @@ def get_low_power_mode(self, port_num):
def i2c_get(self, device_addr, offset):
status = 0
if smbus_present == 0:
x = "i2cget -y 0 " + hex(device_addr) + " " + hex(offset)
cmdstatus, status = commands.getstatusoutput(x)
x = ["i2cget", "-y", "0", hex(device_addr), hex(offset)]
cmdstatus, status = getstatusoutput_noshell(x)
if cmdstatus != 0:
return cmdstatus
status = int(status, 16)
Expand All @@ -86,8 +83,8 @@ def i2c_get(self, device_addr, offset):

def i2c_set(self, device_addr, offset, value):
if smbus_present == 0:
cmd = "i2cset -y 0 " + hex(device_addr) + " " + hex(offset) + " " + hex(value)
os.system(cmd)
cmd = ["i2cset", "-y", "0", hex(device_addr), hex(offset), hex(value)]
subprocess.run(cmd)
else:
bus = smbus.SMBus(0)
bus.write_byte_data(device_addr, offset, value)
Expand Down
21 changes: 9 additions & 12 deletions device/marvell/arm64-marvell_db98cx8580_32cd-r0/plugins/sfputil.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,13 @@
try:
import os
import time
import sys
import re
import subprocess
from sonic_sfp.sfputilbase import SfpUtilBase
from sonic_py_common.general import getstatusoutput_noshell
except ImportError as e:
raise ImportError(str(e) + "- required module not found")

if sys.version_info[0] < 3:
import commands
else:
import subprocess as commands

smbus_present = 1

try:
Expand All @@ -31,9 +27,10 @@ class SfpUtil(SfpUtilBase):
_qsfp_ports = list(range(_port_start, ports_in_block + 1))

def __init__(self):
os.system("modprobe i2c-dev")
subprocess.run(["modprobe", "i2c-dev"])
if not os.path.exists("/sys/bus/i2c/devices/0-0050"):
os.system("echo optoe2 0x50 > /sys/bus/i2c/devices/i2c-0/new_device")
with open("/sys/bus/i2c/devices/i2c-0/new_device", 'w') as file:
file.write("optoe2 0x50")

eeprom_path = '/sys/bus/i2c/devices/0-0050/eeprom'
# for x in range(self.port _start, self.port_end +1):
Expand Down Expand Up @@ -74,8 +71,8 @@ def get_low_power_mode(self, port_num):
def i2c_get(self, device_addr, offset):
status = 0
if smbus_present == 0:
x = "i2cget -y 0 " + hex(device_addr) + " " + hex(offset)
cmdstatus, status = commands.getstatusoutput(x)
x = ["i2cget", "-y", "0", hex(device_addr), hex(offset)]
cmdstatus, status = getstatusoutput_noshell(x)
if cmdstatus != 0:
return cmdstatus
status = int(status, 16)
Expand All @@ -86,8 +83,8 @@ def i2c_get(self, device_addr, offset):

def i2c_set(self, device_addr, offset, value):
if smbus_present == 0:
cmd = "i2cset -y 0 " + hex(device_addr) + " " + hex(offset) + " " + hex(value)
os.system(cmd)
cmd = ["i2cset", "-y", "0", hex(device_addr), hex(offset), hex(value)]
subprocess.run(cmd)
else:
bus = smbus.SMBus(0)
bus.write_byte_data(device_addr, offset, value)
Expand Down
13 changes: 3 additions & 10 deletions device/marvell/armhf-marvell_et6448m_52x-r0/plugins/psuutil.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
import sys
import os.path
if sys.version_info[0] < 3:
import commands
else:
import subprocess as commands
from sonic_py_common.general import getstatusoutput_noshell

smbus_present = 1
try:
Expand Down Expand Up @@ -32,8 +27,7 @@ def get_psu_status(self, index):
if index is None:
return False
if smbus_present == 0:
cmdstatus, psustatus = commands.getstatusoutput(
'i2cget -y 0 0x41 0xa') # need to verify the cpld register logic
cmdstatus, psustatus = getstatusoutput_noshell(["i2cget", "-y", "0", "0x41", "0xa"])
psustatus = int(psustatus, 16)
else:
bus = smbus.SMBus(0)
Expand All @@ -56,8 +50,7 @@ def get_psu_presence(self, index):
return False

if smbus_present == 0:
cmdstatus, psustatus = commands.getstatusoutput(
'i2cget -y 0 0x41 0xa') # need to verify the cpld register logic
cmdstatus, psustatus = getstatusoutput_noshell(["i2cget", "-y", "0", "0x41", "0xa"])
psustatus = int(psustatus, 16)
else:
bus = smbus.SMBus(0)
Expand Down
18 changes: 7 additions & 11 deletions device/marvell/armhf-marvell_et6448m_52x-r0/plugins/sfputil.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,13 @@
import os
import time
import re
import sys
import glob
import subprocess
from sonic_sfp.sfputilbase import SfpUtilBase
from sonic_py_common.general import getstatusoutput_noshell
except ImportError as e:
raise ImportError(str(e) + "- required module not found")

if sys.version_info[0] < 3:
import commands
else:
import subprocess as commands

smbus_present = 1

try:
Expand Down Expand Up @@ -43,7 +39,7 @@ def __init__(self):

# Enable optical SFP Tx
if smbus_present == 0:
os.system("i2cset -y -m 0x0f 0 0x41 0x5 0x00")
subprocess.run(["i2cset", "-y", "-m", "0x0f", "0", "0x41", "0x5", "0x00"])
else:
bus = smbus.SMBus(0)
DEVICE_ADDRESS = 0x41
Expand All @@ -66,8 +62,9 @@ def __init__(self):
port_eeprom_path = eeprom_path.format(self.port_to_i2c_mapping[x])
#print port_eeprom_path
if not os.path.exists(port_eeprom_path):
bus_dev_path = bus_path.format(self.port_to_i2c_mapping[x])
os.system("echo optoe2 0x50 > " + bus_dev_path + "/new_device")
bus_dev_path = bus_path.format(self.port_to_i2c_mapping[x]) + "/new_device"
with open(bus_dev_path, 'w') as f:
f.write("optoe2 0x50")
self.port_to_eeprom_mapping[x] = port_eeprom_path
self._port_to_eeprom_mapping[x] = port_eeprom_path
SfpUtilBase.__init__(self)
Expand Down Expand Up @@ -113,8 +110,7 @@ def get_presence(self, port_num):
pos = [1, 2, 4, 8]
bit_pos = pos[prt]
if smbus_present == 0:
cmdstatus, sfpstatus = commands.getstatusoutput(
'i2cget -y 0 0x41 0x3') # need to verify the cpld register logic
cmdstatus, sfpstatus = getstatusoutput_noshell(['i2cget', '-y', '0', '0x41', '0x3'])
sfpstatus = int(sfpstatus, 16)
else:
bus = smbus.SMBus(0)
Expand Down
21 changes: 9 additions & 12 deletions device/marvell/x86_64-marvell_db98cx8580_16cd-r0/plugins/sfputil.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,13 @@
try:
import os
import time
import sys
import re
import subprocess
from sonic_sfp.sfputilbase import SfpUtilBase
from sonic_py_common.general import getstatusoutput_noshell
except ImportError as e:
raise ImportError(str(e) + "- required module not found")

if sys.version_info[0] < 3:
import commands
else:
import subprocess as commands

smbus_present = 1

try:
Expand All @@ -31,9 +27,10 @@ class SfpUtil(SfpUtilBase):
_qsfp_ports = list(range(_port_start, ports_in_block + 1))

def __init__(self):
os.system("modprobe i2c-dev")
subprocess.run(["modprobe", "i2c-dev"])
if not os.path.exists("/sys/bus/i2c/devices/0-0050"):
os.system("echo optoe2 0x50 > /sys/bus/i2c/devices/i2c-0/new_device")
with open("/sys/bus/i2c/devices/i2c-0/new_device", 'w') as file:
file.write("optoe2 0x50")

eeprom_path = '/sys/bus/i2c/devices/0-0050/eeprom'
# for x in range(self.port _start, self.port_end +1):
Expand Down Expand Up @@ -74,8 +71,8 @@ def get_low_power_mode(self, port_num):
def i2c_get(self, device_addr, offset):
status = 0
if smbus_present == 0:
x = "i2cget -y 0 " + hex(device_addr) + " " + hex(offset)
cmdstatus, status = commands.getstatusoutput(x)
x = ["i2cget", "-y", "0", hex(device_addr), hex(offset)]
cmdstatus, status = getstatusoutput_noshell(x)
if cmdstatus != 0:
return cmdstatus
status = int(status, 16)
Expand All @@ -86,8 +83,8 @@ def i2c_get(self, device_addr, offset):

def i2c_set(self, device_addr, offset, value):
if smbus_present == 0:
cmd = "i2cset -y 0 " + hex(device_addr) + " " + hex(offset) + " " + hex(value)
os.system(cmd)
cmd = ["i2cset", "-y", "0", hex(device_addr), hex(offset), hex(value)]
subprocess.run(cmd)
else:
bus = smbus.SMBus(0)
bus.write_byte_data(device_addr, offset, value)
Expand Down
21 changes: 9 additions & 12 deletions device/marvell/x86_64-marvell_db98cx8580_32cd-r0/plugins/sfputil.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,13 @@
try:
import os
import time
import sys
import re
import subprocess
from sonic_sfp.sfputilbase import SfpUtilBase
from sonic_py_common.general import getstatusoutput_noshell
except ImportError as e:
raise ImportError(str(e) + "- required module not found")

if sys.version_info[0] < 3:
import commands
else:
import subprocess as commands

smbus_present = 1

try:
Expand All @@ -31,9 +27,10 @@ class SfpUtil(SfpUtilBase):
_qsfp_ports = list(range(_port_start, ports_in_block + 1))

def __init__(self):
os.system("modprobe i2c-dev")
subprocess.run(["modprobe", "i2c-dev"])
if not os.path.exists("/sys/bus/i2c/devices/0-0050"):
os.system("echo optoe2 0x50 > /sys/bus/i2c/devices/i2c-0/new_device")
with open("/sys/bus/i2c/devices/i2c-0/new_device", 'w') as file:
file.write("optoe2 0x50")

eeprom_path = '/sys/bus/i2c/devices/0-0050/eeprom'
# for x in range(self.port _start, self.port_end +1):
Expand Down Expand Up @@ -74,8 +71,8 @@ def get_low_power_mode(self, port_num):
def i2c_get(self, device_addr, offset):
status = 0
if smbus_present == 0:
x = "i2cget -y 0 " + hex(device_addr) + " " + hex(offset)
cmdstatus, status = commands.getstatusoutput(x)
x = ["i2cget", "-y", "0", hex(device_addr), hex(offset)]
cmdstatus, status = getstatusoutput_noshell(x)
if cmdstatus != 0:
return cmdstatus
status = int(status, 16)
Expand All @@ -86,8 +83,8 @@ def i2c_get(self, device_addr, offset):

def i2c_set(self, device_addr, offset, value):
if smbus_present == 0:
cmd = "i2cset -y 0 " + hex(device_addr) + " " + hex(offset) + " " + hex(value)
os.system(cmd)
cmd = ["i2cset", "-y", "0", hex(device_addr), hex(offset), hex(value)]
subprocess.run(cmd)
else:
bus = smbus.SMBus(0)
bus.write_byte_data(device_addr, offset, value)
Expand Down
12 changes: 4 additions & 8 deletions platform/marvell-armhf/sonic-platform-nokia/7215/sonic_platform/chassis.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
from sonic_platform.thermal import Thermal
from sonic_platform.component import Component
from sonic_py_common import logger
from sonic_py_common.general import getstatusoutput_noshell
except ImportError as e:
raise ImportError(str(e) + "- required module not found")

Expand All @@ -27,11 +28,6 @@
except ImportError as e:
smbus_present = 0

if sys.version_info[0] < 3:
import commands as cmd
else:
import subprocess as cmd

MAX_SELECT_DELAY = 3600
COPPER_PORT_START = 1
COPPER_PORT_END = 48
Expand Down Expand Up @@ -209,7 +205,7 @@ def get_revision(self):
string: Revision value of chassis
"""
if smbus_present == 0: # called from host
cmdstatus, value = cmd.getstatusoutput('sudo i2cget -y 0 0x41 0x0')
cmdstatus, value = getstatusoutput_noshell(['sudo', 'i2cget', '-y', '0', '0x41', '0x0'])
else:
bus = smbus.SMBus(0)
DEVICE_ADDRESS = 0x41
Expand Down Expand Up @@ -331,7 +327,7 @@ def set_status_led(self, color):

# Write sys led
if smbus_present == 0: # called from host (e.g. 'show system-health')
cmdstatus, value = cmd.getstatusoutput('sudo i2cset -y 0 0x41 0x7 %d' % value)
cmdstatus, value = getstatusoutput_noshell(['sudo', 'i2cset', '-y', '0', '0x41', '0x7', value])
if cmdstatus:
sonic_logger.log_warning(" System LED set %s failed" % value)
return False
Expand All @@ -353,7 +349,7 @@ def get_status_led(self):
"""
# Read sys led
if smbus_present == 0: # called from host
cmdstatus, value = cmd.getstatusoutput('sudo i2cget -y 0 0x41 0x7')
cmdstatus, value = getstatusoutput_noshell(['sudo', 'i2cget', '-y', '0', '0x41', '0x7'])
value = int(value, 16)
else:
bus = smbus.SMBus(0)
Expand Down
Loading