[Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches

[Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches

[Gerd Hoffmann]

The following changes since commit 039d4e3df0049bdd8f93a2de735a816483b13954:

  scsi: Address spurious clang warning (2018-11-27 23:56:12 +0000)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/fixes-31-20181203-pull-request

for you to fetch changes up to c52d46e041b42bb1ee6f692e00a0abe37a9659f6:

  usb-mtp: outlaw slashes in filenames (2018-12-03 19:40:17 +0100)

----------------------------------------------------------------
usb: mtp fixes.

----------------------------------------------------------------

Gerd Hoffmann (2):
  usb-mtp: fix utf16_to_str
  usb-mtp: outlaw slashes in filenames

 hw/usb/dev-mtp.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

-- 
2.9.3

[Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str

[Gerd Hoffmann]

Make utf16_to_str return an allocated string.  Remove the assumtion that
the number of string bytes equals the number of utf16 chars (which is
only true for ascii chars).  Instead call wcstombs twice, once to figure
the storage size and once for the actual conversion (as suggested by the
wcstombs manpage).

FIXME: surrogate pairs are not working correctly.  Pre-existing bug,
fixing that is left for another day.

Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 20181203101045.27976-2-kraxel@redhat.com
---
 hw/usb/dev-mtp.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 00a3691bae..0f6a9702ef 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1593,17 +1593,23 @@ static void usb_mtp_cancel_packet(USBDevice *dev, USBPacket *p)
     fprintf(stderr, "%s\n", __func__);
 }
 
-static void utf16_to_str(uint8_t len, uint16_t *arr, char *name)
+static char *utf16_to_str(uint8_t len, uint16_t *arr)
 {
-    int count;
-    wchar_t *wstr = g_new0(wchar_t, len);
+    wchar_t *wstr = g_new0(wchar_t, len + 1);
+    int count, dlen;
+    char *dest;
 
     for (count = 0; count < len; count++) {
+        /* FIXME: not working for surrogate pairs */
         wstr[count] = (wchar_t)arr[count];
     }
+    wstr[count] = 0;
 
-    wcstombs(name, wstr, len);
+    dlen = wcstombs(NULL, wstr, 0) + 1;
+    dest = g_malloc(dlen);
+    wcstombs(dest, wstr, dlen);
     g_free(wstr);
+    return dest;
 }
 
 /* Wrapper around write, returns 0 on failure */
@@ -1703,7 +1709,7 @@ static void usb_mtp_write_metadata(MTPState *s)
 {
     MTPData *d = s->data_out;
     ObjectInfo *dataset = (ObjectInfo *)d->data;
-    char *filename = g_new0(char, dataset->length);
+    char *filename;
     MTPObject *o;
     MTPObject *p = usb_mtp_object_lookup(s, s->dataset.parent_handle);
     uint32_t next_handle = s->next_handle;
@@ -1711,7 +1717,7 @@ static void usb_mtp_write_metadata(MTPState *s)
     assert(!s->write_pending);
     assert(p != NULL);
 
-    utf16_to_str(dataset->length, dataset->filename, filename);
+    filename = utf16_to_str(dataset->length, dataset->filename);
 
     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
     if (o != NULL) {
-- 
2.9.3

[Qemu-devel] [PULL 2/2] usb-mtp: outlaw slashes in filenames

[Gerd Hoffmann]

Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".

Fixes: CVE-2018-16867
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181203101045.27976-3-kraxel@redhat.com
---
 hw/usb/dev-mtp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 0f6a9702ef..100b7171f4 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
 
     filename = utf16_to_str(dataset->length, dataset->filename);
 
+    if (strchr(filename, '/')) {
+        usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
+                             0, 0, 0, 0);
+        return;
+    }
+
     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
     if (o != NULL) {
         next_handle = o->handle;
-- 
2.9.3

Re: [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str

[Eric Blake]

On 12/3/18 1:50 PM, Gerd Hoffmann wrote:
> Make utf16_to_str return an allocated string.  Remove the assumtion that

s/assumtion/assumption/ (but probably too late to worry about commit 
typos in a pull request :)

> the number of string bytes equals the number of utf16 chars (which is
> only true for ascii chars).  Instead call wcstombs twice, once to figure
> the storage size and once for the actual conversion (as suggested by the
> wcstombs manpage).
> 
> FIXME: surrogate pairs are not working correctly.  Pre-existing bug,
> fixing that is left for another day.
> 
-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches

[Peter Maydell]

On Mon, 3 Dec 2018 at 19:51, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> The following changes since commit 039d4e3df0049bdd8f93a2de735a816483b13954:
>
>   scsi: Address spurious clang warning (2018-11-27 23:56:12 +0000)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/fixes-31-20181203-pull-request
>
> for you to fetch changes up to c52d46e041b42bb1ee6f692e00a0abe37a9659f6:
>
>   usb-mtp: outlaw slashes in filenames (2018-12-03 19:40:17 +0100)
>
> ----------------------------------------------------------------
> usb: mtp fixes.
>
> ----------------------------------------------------------------
>
> Gerd Hoffmann (2):
>   usb-mtp: fix utf16_to_str
>   usb-mtp: outlaw slashes in filenames
>
>  hw/usb/dev-mtp.c | 24 ++++++++++++++++++------
>  1 file changed, 18 insertions(+), 6 deletions(-)
>
Applied, thanks.

-- PMM