From nobody Thu Nov 6 19:30:42 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1543828323292104.87765059667186; Mon, 3 Dec 2018 01:12:03 -0800 (PST) Received: from localhost ([::1]:47487 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTkGd-0001LU-Tn for importer@patchew.org; Mon, 03 Dec 2018 04:11:51 -0500 Received: from eggs.gnu.org ([208.118.235.92]:59691) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTkF3-0007IS-6E for qemu-devel@nongnu.org; Mon, 03 Dec 2018 04:10:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gTk4v-0002IO-L3 for qemu-devel@nongnu.org; Mon, 03 Dec 2018 03:59:47 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57974) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gTk4v-0002Gc-Em for qemu-devel@nongnu.org; Mon, 03 Dec 2018 03:59:45 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B67A433BDD; Mon, 3 Dec 2018 08:59:41 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-59.ams2.redhat.com [10.36.116.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 62E285C25A; Mon, 3 Dec 2018 08:59:39 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 926849D91; Mon, 3 Dec 2018 09:59:38 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 3 Dec 2018 09:59:37 +0100 Message-Id: <20181203085938.10247-2-kraxel@redhat.com> In-Reply-To: <20181203085938.10247-1-kraxel@redhat.com> References: <20181203085938.10247-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 03 Dec 2018 08:59:41 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-3.1 v2 1/2] usb-mtp: fix utf16_to_str X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: public@hansmi.ch, Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Make utf16_to_str return an allocated string. Remove the assumtion that the number of string bytes equals the number of utf16 chars (which is only true for ascii chars). Instead call wcstombs twice, once to figure the storage size and once for the actual conversion (as suggested by the wcstombs manpage). Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 00a3691bae..0f6a9702ef 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1593,17 +1593,23 @@ static void usb_mtp_cancel_packet(USBDevice *dev, U= SBPacket *p) fprintf(stderr, "%s\n", __func__); } =20 -static void utf16_to_str(uint8_t len, uint16_t *arr, char *name) +static char *utf16_to_str(uint8_t len, uint16_t *arr) { - int count; - wchar_t *wstr =3D g_new0(wchar_t, len); + wchar_t *wstr =3D g_new0(wchar_t, len + 1); + int count, dlen; + char *dest; =20 for (count =3D 0; count < len; count++) { + /* FIXME: not working for surrogate pairs */ wstr[count] =3D (wchar_t)arr[count]; } + wstr[count] =3D 0; =20 - wcstombs(name, wstr, len); + dlen =3D wcstombs(NULL, wstr, 0) + 1; + dest =3D g_malloc(dlen); + wcstombs(dest, wstr, dlen); g_free(wstr); + return dest; } =20 /* Wrapper around write, returns 0 on failure */ @@ -1703,7 +1709,7 @@ static void usb_mtp_write_metadata(MTPState *s) { MTPData *d =3D s->data_out; ObjectInfo *dataset =3D (ObjectInfo *)d->data; - char *filename =3D g_new0(char, dataset->length); + char *filename; MTPObject *o; MTPObject *p =3D usb_mtp_object_lookup(s, s->dataset.parent_handle); uint32_t next_handle =3D s->next_handle; @@ -1711,7 +1717,7 @@ static void usb_mtp_write_metadata(MTPState *s) assert(!s->write_pending); assert(p !=3D NULL); =20 - utf16_to_str(dataset->length, dataset->filename, filename); + filename =3D utf16_to_str(dataset->length, dataset->filename); =20 o =3D usb_mtp_object_lookup_name(p, filename, dataset->length); if (o !=3D NULL) { --=20 2.9.3 From nobody Thu Nov 6 19:30:42 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1543828407158440.8478661688787; Mon, 3 Dec 2018 01:13:27 -0800 (PST) Received: from localhost ([::1]:47501 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTkI9-0004bQ-Of for importer@patchew.org; Mon, 03 Dec 2018 04:13:25 -0500 Received: from eggs.gnu.org ([208.118.235.92]:59651) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTkFD-0007Fp-Um for qemu-devel@nongnu.org; Mon, 03 Dec 2018 04:10:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gTk4x-0002JL-Jg for qemu-devel@nongnu.org; Mon, 03 Dec 2018 03:59:50 -0500 Received: from mx1.redhat.com ([209.132.183.28]:48418) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gTk4v-0002H5-KU for qemu-devel@nongnu.org; Mon, 03 Dec 2018 03:59:47 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 44F75308424D; Mon, 3 Dec 2018 08:59:43 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-59.ams2.redhat.com [10.36.116.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 609C9271A7; Mon, 3 Dec 2018 08:59:39 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 9A7129D92; Mon, 3 Dec 2018 09:59:38 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 3 Dec 2018 09:59:38 +0100 Message-Id: <20181203085938.10247-3-kraxel@redhat.com> In-Reply-To: <20181203085938.10247-1-kraxel@redhat.com> References: <20181203085938.10247-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 03 Dec 2018 08:59:43 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-3.1 v2 2/2] usb-mtp: outlaw slashes in filenames X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: public@hansmi.ch, Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Slash is unix directory separator, so they are not allowed in filenames. Note this also stops the classic escape via "../". Fixes: CVE-2018-16867 Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/usb/dev-mtp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 0f6a9702ef..e340a2c6e3 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) =20 filename =3D utf16_to_str(dataset->length, dataset->filename); =20 + if (strchr(filename, '/')) { + usb_mtp_queue_result(s, PARAMETER_NOT_SUPPORTED, d->trans, + 0, 0, 0, 0); + return; + } + o =3D usb_mtp_object_lookup_name(p, filename, dataset->length); if (o !=3D NULL) { next_handle =3D o->handle; --=20 2.9.3