From patchwork Mon Apr 15 15:45:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 10901073 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5FA831669 for ; Mon, 15 Apr 2019 15:49:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47A60288C6 for ; Mon, 15 Apr 2019 15:49:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3BFE9288B9; Mon, 15 Apr 2019 15:49:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id E032C288B6 for ; Mon, 15 Apr 2019 15:49:34 +0000 (UTC) Received: from localhost ([127.0.0.1]:52046 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3rS-0003oV-6C for patchwork-qemu-devel@patchwork.kernel.org; Mon, 15 Apr 2019 11:49:34 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44155) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3nb-0000vH-S9 for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hG3na-0007yF-DH for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34980) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hG3nZ-0007Zw-T3 for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:34 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DFA6230A7C89; Mon, 15 Apr 2019 15:45:13 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 59905608C1; Mon, 15 Apr 2019 15:45:11 +0000 (UTC) From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Mon, 15 Apr 2019 16:45:01 +0100 Message-Id: <20190415154503.6758-2-berrange@redhat.com> In-Reply-To: <20190415154503.6758-1-berrange@redhat.com> References: <20190415154503.6758-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 15 Apr 2019 15:45:15 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 1/3] usb-mtp: fix string length for filename when writing metadata X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Greg Kurz , Bandan Das , Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The ObjectInfo 'length' field provides the length of the wide character string filename. This is then converted to a multi-byte character string. This may have a different byte count to the wide character string. We should use the C string length of the multi-byte string instead. Signed-off-by: Daniel P. Berrangé --- hw/usb/dev-mtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index ebf210fbf8..838cd74da6 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1714,7 +1714,7 @@ static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) return; } - o = usb_mtp_object_lookup_name(p, filename, dataset->length); + o = usb_mtp_object_lookup_name(p, filename, -1); if (o != NULL) { next_handle = o->handle; } From patchwork Mon Apr 15 15:45:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 10901059 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BA63714DB for ; Mon, 15 Apr 2019 15:47:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A0277288CE for ; Mon, 15 Apr 2019 15:47:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8FA4B288CF; Mon, 15 Apr 2019 15:47:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3B790288CF for ; Mon, 15 Apr 2019 15:47:55 +0000 (UTC) Received: from localhost ([127.0.0.1]:51999 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3pq-0002dB-1H for patchwork-qemu-devel@patchwork.kernel.org; Mon, 15 Apr 2019 11:47:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44094) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3nY-0000qt-UT for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hG3nX-0007tZ-8W for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:32 -0400 Received: from mx1.redhat.com ([209.132.183.28]:42160) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hG3nV-0007bB-1O for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:30 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 62361307D84F; Mon, 15 Apr 2019 15:45:16 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3AB96608C6; Mon, 15 Apr 2019 15:45:14 +0000 (UTC) From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Mon, 15 Apr 2019 16:45:02 +0100 Message-Id: <20190415154503.6758-3-berrange@redhat.com> In-Reply-To: <20190415154503.6758-1-berrange@redhat.com> References: <20190415154503.6758-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Mon, 15 Apr 2019 15:45:16 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/3] usb-mtp: fix bounds check for guest provided filename X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Greg Kurz , Bandan Das , Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The ObjectInfo struct has a variable length array containing the UTF-16 encoded filename. The number of characters of trailing data is given by the 'length' field in the struct and this must be validated against the size of the data packet received from the guest. Since the data is UTF-16, we must convert the byte count we have to a character count before validating. This must take care to truncate if a malicious guest sent an odd number of bytes. Signed-off-by: Daniel P. Berrangé Reviewed-by: Bandan Das --- hw/usb/dev-mtp.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 838cd74da6..6b7d1296e4 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1699,12 +1699,19 @@ static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) MTPObject *o; MTPObject *p = usb_mtp_object_lookup(s, s->dataset.parent_handle); uint32_t next_handle = s->next_handle; + size_t filename_chars = dlen - offsetof(ObjectInfo, filename); + + /* + * filename is utf-16. We're intentionally doing + * integer division to truncate if malicious guest + * sent an odd number of bytes. + */ + filename_chars /= 2; assert(!s->write_pending); assert(p != NULL); - filename = utf16_to_str(MIN(dataset->length, - dlen - offsetof(ObjectInfo, filename)), + filename = utf16_to_str(MIN(dataset->length, filename_chars), dataset->filename); if (strchr(filename, '/')) { From patchwork Mon Apr 15 15:45:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 10901057 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A7F9814DB for ; Mon, 15 Apr 2019 15:47:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8C91D288B6 for ; Mon, 15 Apr 2019 15:47:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8127F28585; Mon, 15 Apr 2019 15:47:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3476C287FF for ; Mon, 15 Apr 2019 15:47:04 +0000 (UTC) Received: from localhost ([127.0.0.1]:51993 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3p1-0001xP-FV for patchwork-qemu-devel@patchwork.kernel.org; Mon, 15 Apr 2019 11:47:03 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44040) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3nU-0000nJ-6d for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hG3nR-0007m6-Fa for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:26 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35046) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hG3nO-0007gJ-Lu for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:23 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7985E3002F52; Mon, 15 Apr 2019 15:45:18 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id B75D9608C1; Mon, 15 Apr 2019 15:45:16 +0000 (UTC) From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Mon, 15 Apr 2019 16:45:03 +0100 Message-Id: <20190415154503.6758-4-berrange@redhat.com> In-Reply-To: <20190415154503.6758-1-berrange@redhat.com> References: <20190415154503.6758-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 15 Apr 2019 15:45:18 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 3/3] usb-mtp: fix alignment of access of ObjectInfo filename field X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Greg Kurz , Bandan Das , Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The ObjectInfo struct's "filename" field is following a uint8_t field in a packed struct and thus has bad alignment for a 16-bit field. Switch the field to to uint8_t and use the helper function for accessing unaligned 16-bit data. Note that although the MTP spec specifies big endian, when transported over the USB protocol, data is little endian. Signed-off-by: Daniel P. Berrangé --- hw/usb/dev-mtp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 6b7d1296e4..963449ec7d 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -226,7 +226,7 @@ typedef struct { uint32_t assoc_desc; uint32_t seq_no; /*unused*/ uint8_t length; /*part of filename field*/ - uint16_t filename[0]; + uint8_t filename[0]; /* UTF-16 encoded */ char date_created[0]; /*unused*/ char date_modified[0]; /*unused*/ char keywords[0]; /*unused*/ @@ -1551,7 +1551,7 @@ static void usb_mtp_cancel_packet(USBDevice *dev, USBPacket *p) fprintf(stderr, "%s\n", __func__); } -static char *utf16_to_str(uint8_t len, uint16_t *arr) +static char *utf16_to_str(uint8_t len, uint8_t *str16) { wchar_t *wstr = g_new0(wchar_t, len + 1); int count, dlen; @@ -1559,7 +1559,7 @@ static char *utf16_to_str(uint8_t len, uint16_t *arr) for (count = 0; count < len; count++) { /* FIXME: not working for surrogate pairs */ - wstr[count] = (wchar_t)arr[count]; + wstr[count] = lduw_le_p(str16 + (count * 2)); } wstr[count] = 0;