[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 19/36] json: Fix % handling when not interpolating
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 19/36] json: Fix % handling when not interpolating |
Date: |
Tue, 23 Jul 2019 12:00:47 -0500 |
From: Christophe Fergeau <address@hidden>
Commit 8bca4613 added support for %% in json strings when interpolating,
but in doing so broke handling of % when not interpolating.
When parse_string() is fed a string token containing '%', it skips the
'%' regardless of ctxt->ap, i.e. even it's not interpolating. If the
'%' is the string's last character, it fails an assertion. Else, it
"merely" swallows the '%'.
Fix parse_string() to handle '%' specially only when interpolating.
To gauge the bug's impact, let's review non-interpolating users of this
parser, i.e. code passing NULL context to json_message_parser_init():
* tests/check-qjson.c, tests/test-qobject-input-visitor.c,
tests/test-visitor-serialization.c
Plenty of tests, but we still failed to cover the buggy case.
* monitor.c: QMP input
* qga/main.c: QGA input
* qobject_from_json():
- qobject-input-visitor.c: JSON command line option arguments of
-display and -blockdev
Reproducer: -blockdev '{"%"}'
- block.c: JSON pseudo-filenames starting with "json:"
Reproducer: https://bugzilla.redhat.com/show_bug.cgi?id=1668244#c3
- block/rbd.c: JSON key pairs
Pseudo-filenames starting with "rbd:".
Command line, QMP and QGA input are trusted.
Filenames are trusted when they come from command line, QMP or HMP.
They are untrusted when they come from from image file headers.
Example: QCOW2 backing file name. Note that this is *not* the security
boundary between host and guest. It's the boundary between host and an
image file from an untrusted source.
Neither failing an assertion nor skipping a character in a filename of
your choice looks exploitable. Note that we don't support compiling
with NDEBUG.
Fixes: 8bca4613e6cddd948895b8db3def05950463495b
Cc: address@hidden
Signed-off-by: Christophe Fergeau <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Tested-by: Richard W.M. Jones <address@hidden>
[Commit message extended to discuss impact]
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit bbc0586ced6e9ffdfd29d89fcc917b3d90ac3938)
Signed-off-by: Michael Roth <address@hidden>
---
qobject/json-parser.c | 10 ++++++----
tests/check-qjson.c | 5 +++++
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/qobject/json-parser.c b/qobject/json-parser.c
index 5a840dfd86..53e91cb16b 100644
--- a/qobject/json-parser.c
+++ b/qobject/json-parser.c
@@ -208,11 +208,13 @@ static QString *parse_string(JSONParserContext *ctxt,
JSONToken *token)
}
break;
case '%':
- if (ctxt->ap && ptr[1] != '%') {
- parse_error(ctxt, token, "can't interpolate into string");
- goto out;
+ if (ctxt->ap) {
+ if (ptr[1] != '%') {
+ parse_error(ctxt, token, "can't interpolate into string");
+ goto out;
+ }
+ ptr++;
}
- ptr++;
/* fall through */
default:
cp = mod_utf8_codepoint(ptr, 6, &end);
diff --git a/tests/check-qjson.c b/tests/check-qjson.c
index d876a7a96e..fa2afccb0a 100644
--- a/tests/check-qjson.c
+++ b/tests/check-qjson.c
@@ -175,6 +175,11 @@ static void utf8_string(void)
"\xCE\xBA\xE1\xBD\xB9\xCF\x83\xCE\xBC\xCE\xB5",
"\xCE\xBA\xE1\xBD\xB9\xCF\x83\xCE\xBC\xCE\xB5",
"\\u03BA\\u1F79\\u03C3\\u03BC\\u03B5",
+ },
+ /* '%' character when not interpolating */
+ {
+ "100%",
+ "100%",
},
/* 2 Boundary condition test cases */
/* 2.1 First possible sequence of a certain length */
--
2.17.1
- [Qemu-devel] [PATCH 09/36] exec.c: Don't reallocate IOMMUNotifiers that are in use, (continued)
- [Qemu-devel] [PATCH 09/36] exec.c: Don't reallocate IOMMUNotifiers that are in use, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 12/36] block: Fix invalidate_cache error path for parent activation, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 11/36] tpm: Make sure the locality received from backend is valid, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 13/36] hw/rdma: another clang compilation fix, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 10/36] tpm: Make sure new locality passed to tpm_tis_prep_abort() is valid, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 17/36] i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU model, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 18/36] i386: remove the 'INTEL_PT' CPUID bit from named CPU models, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 15/36] tpm_tis: fix loop that cancels any seizure by a lower locality, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 16/36] vfio-ap: flag as compatible with balloon, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 20/36] qga-win: include glib when building VSS DLL, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 19/36] json: Fix % handling when not interpolating,
Michael Roth <=
- [Qemu-devel] [PATCH 21/36] configure: improve usbfs check, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 27/36] qcow2: Avoid COW during metadata preallocation, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 25/36] usb-mtp: use O_NOFOLLOW and O_CLOEXEC., Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 28/36] cutils: Fix size_to_str() on 32-bit platforms, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 29/36] block: Fix AioContext switch for bs->drv == NULL, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 24/36] qga: update docs with systemd suspend support info, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 14/36] slirp: check sscanf result when emulating ident, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 26/36] qemu-img: fix error reporting for -object, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 30/36] do not call vhost_net_cleanup() on running net from char user event, Michael Roth, 2019/07/23
- [Qemu-devel] [PATCH 01/36] i2c: Move typedef of bitbang_i2c_interface to i2c.h, Michael Roth, 2019/07/23