From nobody Sun May 19 08:26:12 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1543832117247135.8654140860309; Mon, 3 Dec 2018 02:15:17 -0800 (PST) Received: from localhost ([::1]:47743 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTlFr-00024C-Ft for importer@patchew.org; Mon, 03 Dec 2018 05:15:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38210) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTlBm-0007fx-Ke for qemu-devel@nongnu.org; Mon, 03 Dec 2018 05:10:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gTlBi-0001Xo-FJ for qemu-devel@nongnu.org; Mon, 03 Dec 2018 05:10:54 -0500 Received: from mx1.redhat.com ([209.132.183.28]:50296) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gTlBi-0001XB-AZ for qemu-devel@nongnu.org; Mon, 03 Dec 2018 05:10:50 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A9D7830832C9; Mon, 3 Dec 2018 10:10:49 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-59.ams2.redhat.com [10.36.116.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4E8F660BE7; Mon, 3 Dec 2018 10:10:46 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 79A099D91; Mon, 3 Dec 2018 11:10:45 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 3 Dec 2018 11:10:44 +0100 Message-Id: <20181203101045.27976-2-kraxel@redhat.com> In-Reply-To: <20181203101045.27976-1-kraxel@redhat.com> References: <20181203101045.27976-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Mon, 03 Dec 2018 10:10:49 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-3.1 v3 1/2] usb-mtp: fix utf16_to_str X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: public@hansmi.ch, Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Make utf16_to_str return an allocated string. Remove the assumtion that the number of string bytes equals the number of utf16 chars (which is only true for ascii chars). Instead call wcstombs twice, once to figure the storage size and once for the actual conversion (as suggested by the wcstombs manpage). Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Markus Armbruster Reviewed-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/usb/dev-mtp.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 00a3691bae..0f6a9702ef 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1593,17 +1593,23 @@ static void usb_mtp_cancel_packet(USBDevice *dev, U= SBPacket *p) fprintf(stderr, "%s\n", __func__); } =20 -static void utf16_to_str(uint8_t len, uint16_t *arr, char *name) +static char *utf16_to_str(uint8_t len, uint16_t *arr) { - int count; - wchar_t *wstr =3D g_new0(wchar_t, len); + wchar_t *wstr =3D g_new0(wchar_t, len + 1); + int count, dlen; + char *dest; =20 for (count =3D 0; count < len; count++) { + /* FIXME: not working for surrogate pairs */ wstr[count] =3D (wchar_t)arr[count]; } + wstr[count] =3D 0; =20 - wcstombs(name, wstr, len); + dlen =3D wcstombs(NULL, wstr, 0) + 1; + dest =3D g_malloc(dlen); + wcstombs(dest, wstr, dlen); g_free(wstr); + return dest; } =20 /* Wrapper around write, returns 0 on failure */ @@ -1703,7 +1709,7 @@ static void usb_mtp_write_metadata(MTPState *s) { MTPData *d =3D s->data_out; ObjectInfo *dataset =3D (ObjectInfo *)d->data; - char *filename =3D g_new0(char, dataset->length); + char *filename; MTPObject *o; MTPObject *p =3D usb_mtp_object_lookup(s, s->dataset.parent_handle); uint32_t next_handle =3D s->next_handle; @@ -1711,7 +1717,7 @@ static void usb_mtp_write_metadata(MTPState *s) assert(!s->write_pending); assert(p !=3D NULL); =20 - utf16_to_str(dataset->length, dataset->filename, filename); + filename =3D utf16_to_str(dataset->length, dataset->filename); =20 o =3D usb_mtp_object_lookup_name(p, filename, dataset->length); if (o !=3D NULL) { --=20 2.9.3 From nobody Sun May 19 08:26:12 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1543832120021581.6768786620754; Mon, 3 Dec 2018 02:15:20 -0800 (PST) Received: from localhost ([::1]:47744 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTlG1-00029W-Ss for importer@patchew.org; Mon, 03 Dec 2018 05:15:17 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38208) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gTlBm-0007fv-KK for qemu-devel@nongnu.org; Mon, 03 Dec 2018 05:10:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gTlBh-0001XF-SW for qemu-devel@nongnu.org; Mon, 03 Dec 2018 05:10:54 -0500 Received: from mx1.redhat.com ([209.132.183.28]:47912) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gTlBh-0001WX-NX for qemu-devel@nongnu.org; Mon, 03 Dec 2018 05:10:49 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1BFAC4E92D; Mon, 3 Dec 2018 10:10:49 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-59.ams2.redhat.com [10.36.116.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4157A5DF29; Mon, 3 Dec 2018 10:10:46 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 815C99D92; Mon, 3 Dec 2018 11:10:45 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 3 Dec 2018 11:10:45 +0100 Message-Id: <20181203101045.27976-3-kraxel@redhat.com> In-Reply-To: <20181203101045.27976-1-kraxel@redhat.com> References: <20181203101045.27976-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 03 Dec 2018 10:10:49 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-3.1 v3 2/2] usb-mtp: outlaw slashes in filenames X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: public@hansmi.ch, Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Slash is unix directory separator, so they are not allowed in filenames. Note this also stops the classic escape via "../". Fixes: CVE-2018-16867 Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/usb/dev-mtp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 0f6a9702ef..100b7171f4 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) =20 filename =3D utf16_to_str(dataset->length, dataset->filename); =20 + if (strchr(filename, '/')) { + usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, + 0, 0, 0, 0); + return; + } + o =3D usb_mtp_object_lookup_name(p, filename, dataset->length); if (o !=3D NULL) { next_handle =3D o->handle; --=20 2.9.3