[Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches
@ 2018-12-03 19:50 Gerd Hoffmann
  2018-12-03 19:50 ` [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str Gerd Hoffmann
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2018-12-03 19:50 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

The following changes since commit 039d4e3df0049bdd8f93a2de735a816483b13954:

  scsi: Address spurious clang warning (2018-11-27 23:56:12 +0000)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/fixes-31-20181203-pull-request

for you to fetch changes up to c52d46e041b42bb1ee6f692e00a0abe37a9659f6:

  usb-mtp: outlaw slashes in filenames (2018-12-03 19:40:17 +0100)

----------------------------------------------------------------
usb: mtp fixes.

----------------------------------------------------------------

Gerd Hoffmann (2):
  usb-mtp: fix utf16_to_str
  usb-mtp: outlaw slashes in filenames

 hw/usb/dev-mtp.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

-- 
2.9.3

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str
  2018-12-03 19:50 [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches Gerd Hoffmann
@ 2018-12-03 19:50 ` Gerd Hoffmann
  2018-12-03 20:00   ` Eric Blake
  2018-12-03 19:50 ` [Qemu-devel] [PULL 2/2] usb-mtp: outlaw slashes in filenames Gerd Hoffmann
  2018-12-04  9:36 ` [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches Peter Maydell
  2 siblings, 1 reply; 5+ messages in thread
From: Gerd Hoffmann @ 2018-12-03 19:50 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

Make utf16_to_str return an allocated string.  Remove the assumtion that
the number of string bytes equals the number of utf16 chars (which is
only true for ascii chars).  Instead call wcstombs twice, once to figure
the storage size and once for the actual conversion (as suggested by the
wcstombs manpage).

FIXME: surrogate pairs are not working correctly.  Pre-existing bug,
fixing that is left for another day.

Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 20181203101045.27976-2-kraxel@redhat.com
---
 hw/usb/dev-mtp.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 00a3691bae..0f6a9702ef 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1593,17 +1593,23 @@ static void usb_mtp_cancel_packet(USBDevice *dev, USBPacket *p)
     fprintf(stderr, "%s\n", __func__);
 }
 
-static void utf16_to_str(uint8_t len, uint16_t *arr, char *name)
+static char *utf16_to_str(uint8_t len, uint16_t *arr)
 {
-    int count;
-    wchar_t *wstr = g_new0(wchar_t, len);
+    wchar_t *wstr = g_new0(wchar_t, len + 1);
+    int count, dlen;
+    char *dest;
 
     for (count = 0; count < len; count++) {
+        /* FIXME: not working for surrogate pairs */
         wstr[count] = (wchar_t)arr[count];
     }
+    wstr[count] = 0;
 
-    wcstombs(name, wstr, len);
+    dlen = wcstombs(NULL, wstr, 0) + 1;
+    dest = g_malloc(dlen);
+    wcstombs(dest, wstr, dlen);
     g_free(wstr);
+    return dest;
 }
 
 /* Wrapper around write, returns 0 on failure */
@@ -1703,7 +1709,7 @@ static void usb_mtp_write_metadata(MTPState *s)
 {
     MTPData *d = s->data_out;
     ObjectInfo *dataset = (ObjectInfo *)d->data;
-    char *filename = g_new0(char, dataset->length);
+    char *filename;
     MTPObject *o;
     MTPObject *p = usb_mtp_object_lookup(s, s->dataset.parent_handle);
     uint32_t next_handle = s->next_handle;
@@ -1711,7 +1717,7 @@ static void usb_mtp_write_metadata(MTPState *s)
     assert(!s->write_pending);
     assert(p != NULL);
 
-    utf16_to_str(dataset->length, dataset->filename, filename);
+    filename = utf16_to_str(dataset->length, dataset->filename);
 
     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
     if (o != NULL) {
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str
  2018-12-03 19:50 ` [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str Gerd Hoffmann
@ 2018-12-03 20:00   ` Eric Blake
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Blake @ 2018-12-03 20:00 UTC (permalink / raw)
  To: Gerd Hoffmann, qemu-devel

On 12/3/18 1:50 PM, Gerd Hoffmann wrote:
> Make utf16_to_str return an allocated string.  Remove the assumtion that

s/assumtion/assumption/ (but probably too late to worry about commit 
typos in a pull request :)

> the number of string bytes equals the number of utf16 chars (which is
> only true for ascii chars).  Instead call wcstombs twice, once to figure
> the storage size and once for the actual conversion (as suggested by the
> wcstombs manpage).
> 
> FIXME: surrogate pairs are not working correctly.  Pre-existing bug,
> fixing that is left for another day.
> 
-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Qemu-devel] [PULL 2/2] usb-mtp: outlaw slashes in filenames
  2018-12-03 19:50 [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches Gerd Hoffmann
  2018-12-03 19:50 ` [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str Gerd Hoffmann
@ 2018-12-03 19:50 ` Gerd Hoffmann
  2018-12-04  9:36 ` [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches Peter Maydell
  2 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2018-12-03 19:50 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".

Fixes: CVE-2018-16867
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181203101045.27976-3-kraxel@redhat.com
---
 hw/usb/dev-mtp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 0f6a9702ef..100b7171f4 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
 
     filename = utf16_to_str(dataset->length, dataset->filename);
 
+    if (strchr(filename, '/')) {
+        usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
+                             0, 0, 0, 0);
+        return;
+    }
+
     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
     if (o != NULL) {
         next_handle = o->handle;
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches
  2018-12-03 19:50 [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches Gerd Hoffmann
  2018-12-03 19:50 ` [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str Gerd Hoffmann
  2018-12-03 19:50 ` [Qemu-devel] [PULL 2/2] usb-mtp: outlaw slashes in filenames Gerd Hoffmann
@ 2018-12-04  9:36 ` Peter Maydell
  2 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2018-12-04  9:36 UTC (permalink / raw)
  To: Gerd Hoffmann; +Cc: QEMU Developers

On Mon, 3 Dec 2018 at 19:51, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> The following changes since commit 039d4e3df0049bdd8f93a2de735a816483b13954:
>
>   scsi: Address spurious clang warning (2018-11-27 23:56:12 +0000)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/fixes-31-20181203-pull-request
>
> for you to fetch changes up to c52d46e041b42bb1ee6f692e00a0abe37a9659f6:
>
>   usb-mtp: outlaw slashes in filenames (2018-12-03 19:40:17 +0100)
>
> ----------------------------------------------------------------
> usb: mtp fixes.
>
> ----------------------------------------------------------------
>
> Gerd Hoffmann (2):
>   usb-mtp: fix utf16_to_str
>   usb-mtp: outlaw slashes in filenames
>
>  hw/usb/dev-mtp.c | 24 ++++++++++++++++++------
>  1 file changed, 18 insertions(+), 6 deletions(-)
>
Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-12-04  9:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-03 19:50 [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches Gerd Hoffmann
2018-12-03 19:50 ` [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str Gerd Hoffmann
2018-12-03 20:00   ` Eric Blake
2018-12-03 19:50 ` [Qemu-devel] [PULL 2/2] usb-mtp: outlaw slashes in filenames Gerd Hoffmann
2018-12-04  9:36 ` [Qemu-devel] [PULL 0/2] Fixes 31 20181203 patches Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).