From nobody Fri Apr 19 04:36:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1555343402; cv=none; d=zoho.com; s=zohoarc; b=OxUKuMQx1opaDLwGrc7TGK758xvwucjSJsiwx0aWRJddMutzqmh1va6ZquP4vofqXB0j9UvXRIBQVJuSVxmLt02XIwyNxatTogTpAn3FJYAkqslTrLXZWfVeRVr73NQlHkP/Oh7t4RH9dyBbyNq874xrpbGx5E6sQwzynt0pRYg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1555343402; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=sHXDvK1az2gfoT8RSy1smuu7+UbHN06kzoCxHr/aTo4=; b=AhJgWptREtl+/AcIqIa4koi+1Th5coxvmUfHlrtf4PjxIBi07MjCrWVv8FoVSujjhS/tx1q2czBiA2+aNDSpq+BIo19HBWuwCLrKSYtkJIZFOMa1Frw8LG6MgL49l0S87IdQkYHBfHJlhuFs1p47XC3uq+BXH5cV3tOQ6utXmJY= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 155534340273051.84345521260275; Mon, 15 Apr 2019 08:50:02 -0700 (PDT) Received: from localhost ([127.0.0.1]:52046 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3ro-0003oV-PN for importer@patchew.org; Mon, 15 Apr 2019 11:49:56 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44155) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3nb-0000vH-S9 for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hG3na-0007yF-DH for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34980) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hG3nZ-0007Zw-T3 for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:34 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DFA6230A7C89; Mon, 15 Apr 2019 15:45:13 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 59905608C1; Mon, 15 Apr 2019 15:45:11 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Mon, 15 Apr 2019 16:45:01 +0100 Message-Id: <20190415154503.6758-2-berrange@redhat.com> In-Reply-To: <20190415154503.6758-1-berrange@redhat.com> References: <20190415154503.6758-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 15 Apr 2019 15:45:15 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 1/3] usb-mtp: fix string length for filename when writing metadata X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Greg Kurz , Bandan Das , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The ObjectInfo 'length' field provides the length of the wide character string filename. This is then converted to a multi-byte character string. This may have a different byte count to the wide character string. We should use the C string length of the multi-byte string instead. Signed-off-by: Daniel P. Berrang=C3=A9 --- hw/usb/dev-mtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index ebf210fbf8..838cd74da6 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1714,7 +1714,7 @@ static void usb_mtp_write_metadata(MTPState *s, uint6= 4_t dlen) return; } =20 - o =3D usb_mtp_object_lookup_name(p, filename, dataset->length); + o =3D usb_mtp_object_lookup_name(p, filename, -1); if (o !=3D NULL) { next_handle =3D o->handle; } --=20 2.20.1 From nobody Fri Apr 19 04:36:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1555343326; cv=none; d=zoho.com; s=zohoarc; b=PK7rqIAMCr98TDjoK02oZLgfSHrrBzMBSwvHUtURH8lGQfzV5I0tECv/ybOVhHxGtLWHDFXs0FhR2ug6+j8Tl0/Xefdd+wNLFaMHTB26yjWOeBYtR+3HZCjgqXfLV41REhwlWcRFmY8xjc5Zya4CyG0fOA5NxgA8XcB6kALOkhk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1555343326; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=hWJV+zXJHKRGoz7agCG6q+7vb8z9259YPUK6cpJaibM=; b=B8BX2QNDU035cPNOER+DpLKH28x+hCXiQP3MlFKDYaLuqtfrofrsExWp+DlyxUL/mMIRJ3X5bqBP56mSvYJS3/39HtKGNF5VC5Ws4d65n89CQs5/LFNh3by0cX6H9J0O7S6f+oKJmxUMzaqPBzmiGtCualc2RlEe1H8f5POeriU= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1555343326301644.4526462774517; Mon, 15 Apr 2019 08:48:46 -0700 (PDT) Received: from localhost ([127.0.0.1]:51999 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3qT-0002dB-43 for importer@patchew.org; Mon, 15 Apr 2019 11:48:33 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44094) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3nY-0000qt-UT for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hG3nX-0007tZ-8W for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:32 -0400 Received: from mx1.redhat.com ([209.132.183.28]:42160) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hG3nV-0007bB-1O for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:30 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 62361307D84F; Mon, 15 Apr 2019 15:45:16 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3AB96608C6; Mon, 15 Apr 2019 15:45:14 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Mon, 15 Apr 2019 16:45:02 +0100 Message-Id: <20190415154503.6758-3-berrange@redhat.com> In-Reply-To: <20190415154503.6758-1-berrange@redhat.com> References: <20190415154503.6758-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Mon, 15 Apr 2019 15:45:16 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/3] usb-mtp: fix bounds check for guest provided filename X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Greg Kurz , Bandan Das , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The ObjectInfo struct has a variable length array containing the UTF-16 encoded filename. The number of characters of trailing data is given by the 'length' field in the struct and this must be validated against the size of the data packet received from the guest. Since the data is UTF-16, we must convert the byte count we have to a character count before validating. This must take care to truncate if a malicious guest sent an odd number of bytes. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Bandan Das --- hw/usb/dev-mtp.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 838cd74da6..6b7d1296e4 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1699,12 +1699,19 @@ static void usb_mtp_write_metadata(MTPState *s, uin= t64_t dlen) MTPObject *o; MTPObject *p =3D usb_mtp_object_lookup(s, s->dataset.parent_handle); uint32_t next_handle =3D s->next_handle; + size_t filename_chars =3D dlen - offsetof(ObjectInfo, filename); + + /* + * filename is utf-16. We're intentionally doing + * integer division to truncate if malicious guest + * sent an odd number of bytes. + */ + filename_chars /=3D 2; =20 assert(!s->write_pending); assert(p !=3D NULL); =20 - filename =3D utf16_to_str(MIN(dataset->length, - dlen - offsetof(ObjectInfo, filename)), + filename =3D utf16_to_str(MIN(dataset->length, filename_chars), dataset->filename); =20 if (strchr(filename, '/')) { --=20 2.20.1 From nobody Fri Apr 19 04:36:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1555343260; cv=none; d=zoho.com; s=zohoarc; b=Y9x+/xIjZgPXSIoiDWFGdODEmdkWN7vf8v2zq9E+0odAofT+080ejlIAj+N3mReFh517smkBm7D8LIfWEuYFv75GLHoDgqOW/P2gvttd2Y724I8FaDwRbzFwHnsCFe003jqYSH+w49sQXP4XwdyOBpD+0Brjiw2j/bB9R2yWgLw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1555343260; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=pOGdArnhCcDLWOrLgsxermepAV5PSQwnfnaOp++1wIM=; b=BPKjYE5rZat4+5fVQdGyB25ykMkFI8QumCwFlmk9qCl99BX7ZQbs4WWeJcZvDEbl/ir+0Zy42KyK4D52a9HM5Og8lLfYGgAP+nzYsEn8uLTt1fIkCc59WUQQfiyGZksGzvp1matNr0tmEVia31WJ3Xr9XmTV9okwTT/uVOoSmbs= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1555343260145749.9208125092705; Mon, 15 Apr 2019 08:47:40 -0700 (PDT) Received: from localhost ([127.0.0.1]:51993 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3pY-0001xP-4Y for importer@patchew.org; Mon, 15 Apr 2019 11:47:36 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44040) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hG3nU-0000nJ-6d for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hG3nR-0007m6-Fa for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:26 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35046) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hG3nO-0007gJ-Lu for qemu-devel@nongnu.org; Mon, 15 Apr 2019 11:45:23 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7985E3002F52; Mon, 15 Apr 2019 15:45:18 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id B75D9608C1; Mon, 15 Apr 2019 15:45:16 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Mon, 15 Apr 2019 16:45:03 +0100 Message-Id: <20190415154503.6758-4-berrange@redhat.com> In-Reply-To: <20190415154503.6758-1-berrange@redhat.com> References: <20190415154503.6758-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 15 Apr 2019 15:45:18 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 3/3] usb-mtp: fix alignment of access of ObjectInfo filename field X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Greg Kurz , Bandan Das , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The ObjectInfo struct's "filename" field is following a uint8_t field in a packed struct and thus has bad alignment for a 16-bit field. Switch the field to to uint8_t and use the helper function for accessing unaligned 16-bit data. Note that although the MTP spec specifies big endian, when transported over the USB protocol, data is little endian. Signed-off-by: Daniel P. Berrang=C3=A9 --- hw/usb/dev-mtp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 6b7d1296e4..963449ec7d 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -226,7 +226,7 @@ typedef struct { uint32_t assoc_desc; uint32_t seq_no; /*unused*/ uint8_t length; /*part of filename field*/ - uint16_t filename[0]; + uint8_t filename[0]; /* UTF-16 encoded */ char date_created[0]; /*unused*/ char date_modified[0]; /*unused*/ char keywords[0]; /*unused*/ @@ -1551,7 +1551,7 @@ static void usb_mtp_cancel_packet(USBDevice *dev, USB= Packet *p) fprintf(stderr, "%s\n", __func__); } =20 -static char *utf16_to_str(uint8_t len, uint16_t *arr) +static char *utf16_to_str(uint8_t len, uint8_t *str16) { wchar_t *wstr =3D g_new0(wchar_t, len + 1); int count, dlen; @@ -1559,7 +1559,7 @@ static char *utf16_to_str(uint8_t len, uint16_t *arr) =20 for (count =3D 0; count < len; count++) { /* FIXME: not working for surrogate pairs */ - wstr[count] =3D (wchar_t)arr[count]; + wstr[count] =3D lduw_le_p(str16 + (count * 2)); } wstr[count] =3D 0; =20 --=20 2.20.1