vxdna: path validation in read_sysfs [SWSPLAT-8844] #959
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements a security fix to prevent path traversal vulnerabilities in the read_sysfs() function. Malicious guests could previously exploit this by requesting paths like "../../../etc/passwd" to read arbitrary files on the host system.
Key Changes:
- Added path validation using
std::filesystem::canonical()to ensure requested paths remain within the device's sysfs root directory - Migrated from C headers (
stdlib.h,string.h) to C++ equivalents (cstdlib,cstring) - Added comprehensive unit tests covering multiple path traversal attack patterns
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/vxdna/src/vaccel_amdxdna.cpp | Implements path validation logic to prevent directory traversal attacks by canonicalizing and validating paths |
| src/vxdna/tests/test_vaccel.cpp | Adds security-focused unit test covering various path traversal attack vectors |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
properly handle path validation in read_sysfs() and Code cleanup: - Use C++ headers (<cstdlib>, <cstring>) instead of C headers Testing: - Add SubmitCcmdReadSysfsPathTraversal unit test covering various paths. Signed-off-by: Wendy Liang <wendy.liang@amd.com>
wendyliang25
changed the title
3 participants
Add path validation to read_sysfs().
Code cleanup:
Testing: