initrd/functions, init: harden rollback marker path handling

Prevent path traversal via a tampered rollback marker file:
- Read only the first line of the marker (blocks multi-line injection)
- Resolve the path with readlink -f before using it
- Validate the resolved path matches /boot/<brand>/backup_*.rom
  pattern; clear the marker and continue boot if it does not
- Use the resolved, validated path for the actual reflash

Also correct the comment in init for the manual rollback path ('b'):
the fallback-to-most-recent-backup behaviour described in the old
comment was never implemented; check_pending_rollback() returns
silently when no marker is present, so boot just continues.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

initrd/etc/functions

@@ -297,16 +297,32 @@ check_pending_rollback() {
 		return 0
 	fi
 
-	backup_file="$(cat "$marker_file" 2>/dev/null || true)"
-
-	# Stale or corrupt marker (backup gone) - clear it and continue normal boot
-	if [ -z "$backup_file" ] || [ ! -f "$backup_file" ]; then
-		warn "Stale rollback marker found (backup not found: $backup_file) - clearing"
+	# Read first line only to avoid multi-line injection
+	backup_file="$(head -n 1 "$marker_file" 2>/dev/null || true)"
+	# Normalize path and validate it stays within /boot/${brand_lower}/
+	backup_file_resolved="$(readlink -f -- "$backup_file" 2>/dev/null || true)"
+
+	# Stale, corrupt, or unsafe marker - clear it and continue normal boot
+	if [ -z "$backup_file_resolved" ] || [ ! -f "$backup_file_resolved" ]; then
+		warn "Stale rollback marker found (backup not found: ${backup_file_resolved:-$backup_file}) - clearing"
 		mount -o remount,rw /boot 2>/dev/null || true
 		rm -f "$marker_file" 2>/dev/null || true
 		mount -o remount,ro /boot 2>/dev/null || true
 		return 0
 	fi
+	case "$backup_file_resolved" in
+	"/boot/${brand_lower}/backup_"*.rom)
+		# valid path, continue
+		;;
+	*)
+		warn "Invalid rollback marker path '$backup_file_resolved' - clearing"
+		mount -o remount,rw /boot 2>/dev/null || true
+		rm -f "$marker_file" 2>/dev/null || true
+		mount -o remount,ro /boot 2>/dev/null || true
+		return 0
+		;;
+	esac
+	backup_file="$backup_file_resolved"
 
 	DEBUG "pending_rollback found: $backup_file - starting 30-second confirmation countdown"
 

initrd/init

@@ -215,18 +215,16 @@ elif [ "$boot_option" = "o" ]; then
 	# just in case...
 	exit
 elif [ "$boot_option" = "b" ]; then
-	# Manual emergency rollback: mount /boot, find backup, and reflash.
-	# Uses the same check_pending_rollback() path (marker-based) or falls
-	# back to the most recent backup file if no marker is present.
+	# Manual emergency rollback: mount /boot and invoke marker-based rollback.
+	# Uses check_pending_rollback() which handles the 30-second countdown,
+	# --no-backup, and --bypass-verify. If no marker is present it returns
+	# silently and boot continues normally.
 	printf '\a'
 	echo -e "***** Manual rollback requested\n" >/dev/tty0
 	if [ -n "$CONFIG_BOOT_DEV" ] && [ -e "$CONFIG_BOOT_DEV" ]; then
 		mount -o ro "$CONFIG_BOOT_DEV" /boot 2>/dev/null || true
 	fi
-	# check_pending_rollback handles the 30-second countdown, --no-backup,
-	# and --bypass-verify.  If no marker is found it returns silently.
 	check_pending_rollback
-	# If marker was absent or rollback was confirmed (kept), continue normal boot.
 fi
 
 if [ "$CONFIG_BASIC" = "y" ]; then