From patchwork Mon Dec 3 19:50:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 10710471 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3DA6B14BD for ; Mon, 3 Dec 2018 19:51:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FDC02AE3B for ; Mon, 3 Dec 2018 19:51:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 244832B32D; Mon, 3 Dec 2018 19:51:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A90E42AE3B for ; Mon, 3 Dec 2018 19:51:44 +0000 (UTC) Received: from localhost ([::1]:51603 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTuFr-00051d-Iq for patchwork-qemu-devel@patchwork.kernel.org; Mon, 03 Dec 2018 14:51:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49780) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTuEv-0003vU-KH for qemu-devel@nongnu.org; Mon, 03 Dec 2018 14:50:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gTuEs-0006yk-Jo for qemu-devel@nongnu.org; Mon, 03 Dec 2018 14:50:45 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57406) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gTuEs-0006xy-BW for qemu-devel@nongnu.org; Mon, 03 Dec 2018 14:50:42 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3A781C02834D for ; Mon, 3 Dec 2018 19:50:41 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-59.ams2.redhat.com [10.36.116.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id AF9455DE88; Mon, 3 Dec 2018 19:50:40 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id BA5319D90; Mon, 3 Dec 2018 20:50:39 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 3 Dec 2018 20:50:38 +0100 Message-Id: <20181203195039.29597-2-kraxel@redhat.com> In-Reply-To: <20181203195039.29597-1-kraxel@redhat.com> References: <20181203195039.29597-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 03 Dec 2018 19:50:41 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/2] usb-mtp: fix utf16_to_str X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Make utf16_to_str return an allocated string. Remove the assumtion that the number of string bytes equals the number of utf16 chars (which is only true for ascii chars). Instead call wcstombs twice, once to figure the storage size and once for the actual conversion (as suggested by the wcstombs manpage). FIXME: surrogate pairs are not working correctly. Pre-existing bug, fixing that is left for another day. Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Markus Armbruster Message-id: 20181203101045.27976-2-kraxel@redhat.com --- hw/usb/dev-mtp.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 00a3691bae..0f6a9702ef 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1593,17 +1593,23 @@ static void usb_mtp_cancel_packet(USBDevice *dev, USBPacket *p) fprintf(stderr, "%s\n", __func__); } -static void utf16_to_str(uint8_t len, uint16_t *arr, char *name) +static char *utf16_to_str(uint8_t len, uint16_t *arr) { - int count; - wchar_t *wstr = g_new0(wchar_t, len); + wchar_t *wstr = g_new0(wchar_t, len + 1); + int count, dlen; + char *dest; for (count = 0; count < len; count++) { + /* FIXME: not working for surrogate pairs */ wstr[count] = (wchar_t)arr[count]; } + wstr[count] = 0; - wcstombs(name, wstr, len); + dlen = wcstombs(NULL, wstr, 0) + 1; + dest = g_malloc(dlen); + wcstombs(dest, wstr, dlen); g_free(wstr); + return dest; } /* Wrapper around write, returns 0 on failure */ @@ -1703,7 +1709,7 @@ static void usb_mtp_write_metadata(MTPState *s) { MTPData *d = s->data_out; ObjectInfo *dataset = (ObjectInfo *)d->data; - char *filename = g_new0(char, dataset->length); + char *filename; MTPObject *o; MTPObject *p = usb_mtp_object_lookup(s, s->dataset.parent_handle); uint32_t next_handle = s->next_handle; @@ -1711,7 +1717,7 @@ static void usb_mtp_write_metadata(MTPState *s) assert(!s->write_pending); assert(p != NULL); - utf16_to_str(dataset->length, dataset->filename, filename); + filename = utf16_to_str(dataset->length, dataset->filename); o = usb_mtp_object_lookup_name(p, filename, dataset->length); if (o != NULL) { From patchwork Mon Dec 3 19:50:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 10710475 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9D01716B1 for ; Mon, 3 Dec 2018 19:53:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 908F92B2B6 for ; Mon, 3 Dec 2018 19:53:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 82F472B33C; Mon, 3 Dec 2018 19:53:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1C2B42B2B6 for ; Mon, 3 Dec 2018 19:53:18 +0000 (UTC) Received: from localhost ([::1]:51611 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTuHM-0007Yw-Un for patchwork-qemu-devel@patchwork.kernel.org; Mon, 03 Dec 2018 14:53:16 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49781) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTuEv-0003vV-KY for qemu-devel@nongnu.org; Mon, 03 Dec 2018 14:50:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gTuEs-0006yW-By for qemu-devel@nongnu.org; Mon, 03 Dec 2018 14:50:45 -0500 Received: from mx1.redhat.com ([209.132.183.28]:56278) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gTuEs-0006x1-4i for qemu-devel@nongnu.org; Mon, 03 Dec 2018 14:50:42 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 15C1B3002607 for ; Mon, 3 Dec 2018 19:50:41 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-59.ams2.redhat.com [10.36.116.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id AD0AC608C2; Mon, 3 Dec 2018 19:50:40 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id C20FA9D93; Mon, 3 Dec 2018 20:50:39 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 3 Dec 2018 20:50:39 +0100 Message-Id: <20181203195039.29597-3-kraxel@redhat.com> In-Reply-To: <20181203195039.29597-1-kraxel@redhat.com> References: <20181203195039.29597-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 03 Dec 2018 19:50:41 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 2/2] usb-mtp: outlaw slashes in filenames X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Slash is unix directory separator, so they are not allowed in filenames. Note this also stops the classic escape via "../". Fixes: CVE-2018-16867 Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daudé Message-id: 20181203101045.27976-3-kraxel@redhat.com --- hw/usb/dev-mtp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 0f6a9702ef..100b7171f4 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) filename = utf16_to_str(dataset->length, dataset->filename); + if (strchr(filename, '/')) { + usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, + 0, 0, 0, 0); + return; + } + o = usb_mtp_object_lookup_name(p, filename, dataset->length); if (o != NULL) { next_handle = o->handle;