json: Fix % handling when not interpolating

Commit 8bca4613 added support for %% in json strings when interpolating, but in doing so broke handling of % when not interpolating. When parse_string() is fed a string token containing '%', it skips the '%' regardless of ctxt->ap, i.e. even it's not interpolating. If the '%' is the string's last character, it fails an assertion. Else, it "merely" swallows the '%'. Fix parse_string() to handle '%' specially only when interpolating. To gauge the bug's impact, let's review non-interpolating users of this parser, i.e. code passing NULL context to json_message_parser_init(): * tests/check-qjson.c, tests/test-qobject-input-visitor.c, tests/test-visitor-serialization.c Plenty of tests, but we still failed to cover the buggy case. * monitor.c: QMP input * qga/main.c: QGA input * qobject_from_json(): - qobject-input-visitor.c: JSON command line option arguments of -display and -blockdev Reproducer: -blockdev '{"%"}' - block.c: JSON pseudo-filenames starting with "json:" Reproducer: https://bugzilla.redhat.com/show_bug.cgi?id=1668244#c3 - block/rbd.c: JSON key pairs Pseudo-filenames starting with "rbd:". Command line, QMP and QGA input are trusted. Filenames are trusted when they come from command line, QMP or HMP. They are untrusted when they come from from image file headers. Example: QCOW2 backing file name. Note that this is *not* the security boundary between host and guest. It's the boundary between host and an image file from an untrusted source. Neither failing an assertion nor skipping a character in a filename of your choice looks exploitable. Note that we don't support compiling with NDEBUG. Fixes: 8bca4613 Cc: qemu-stable@nongnu.org Signed-off-by: N Christophe Fergeau <cfergeau@redhat.com> Message-Id: <20190102140535.11512-1-cfergeau@redhat.com> Reviewed-by: N Eric Blake <eblake@redhat.com> Tested-by: N Richard W.M. Jones <rjones@redhat.com> [Commit message extended to discuss impact] Signed-off-by: N Markus Armbruster <armbru@redhat.com> (cherry picked from commit bbc0586c) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>

json: Fix % handling when not interpolating
Commit 8bca4613 added support for %% in json strings when interpolating, but in doing so broke handling of % when not interpolating. When parse_string() is fed a string token containing '%', it skips the '%' regardless of ctxt->ap, i.e. even it's not interpolating. If the '%' is the string's last character, it fails an assertion. Else, it "merely" swallows the '%'. Fix parse_string() to handle '%' specially only when interpolating. To gauge the bug's impact, let's review non-interpolating users of this parser, i.e. code passing NULL context to json_message_parser_init(): * tests/check-qjson.c, tests/test-qobject-input-visitor.c, tests/test-visitor-serialization.c Plenty of tests, but we still failed to cover the buggy case. * monitor.c: QMP input * qga/main.c: QGA input * qobject_from_json(): - qobject-input-visitor.c: JSON command line option arguments of -display and -blockdev Reproducer: -blockdev '{"%"}' - block.c: JSON pseudo-filenames starting with "json:" Reproducer: https://bugzilla.redhat.com/show_bug.cgi?id=1668244#c3 - block/rbd.c: JSON key pairs Pseudo-filenames starting with "rbd:". Command line, QMP and QGA input are trusted. Filenames are trusted when they come from command line, QMP or HMP. They are untrusted when they come from from image file headers. Example: QCOW2 backing file name. Note that this is *not* the security boundary between host and guest. It's the boundary between host and an image file from an untrusted source. Neither failing an assertion nor skipping a character in a filename of your choice looks exploitable. Note that we don't support compiling with NDEBUG. Fixes: 8bca4613 Cc: qemu-stable@nongnu.org Signed-off-by: N Christophe Fergeau <cfergeau@redhat.com> Message-Id: <20190102140535.11512-1-cfergeau@redhat.com> Reviewed-by: N Eric Blake <eblake@redhat.com> Tested-by: N Richard W.M. Jones <rjones@redhat.com> [Commit message extended to discuss impact] Signed-off-by: N Markus Armbruster <armbru@redhat.com> (cherry picked from commit bbc0586c) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>
d7cae05b · Christophe Fergeau · Michael Roth · d03c3895 · d7cae05b · d7cae05b
隐藏空白更改
内联并排

Showing with 11 addition and 4 deletion

qobject/json-parser.c qobject/json-parser.c +6 -4

tests/check-qjson.c tests/check-qjson.c +5 -0

未找到文件。
--- a/qobject/json-parser.c
+++ b/qobject/json-parser.c
@@ -208,11 +208,13 @@ static QString *parse_string(JSONParserContext *ctxt, JSONToken *token)
            }
            break;
        case '%':
-            if (ctxt->ap && ptr[1] != '%') {
-                parse_error(ctxt, token, "can't interpolate into string");
-                goto out;
+            if (ctxt->ap) {
+                if (ptr[1] != '%') {
+                    parse_error(ctxt, token, "can't interpolate into string");
+                    goto out;
+                }
+                ptr++;
            }
-            ptr++;
            /* fall through */
        default:
            cp = mod_utf8_codepoint(ptr, 6, &end);

--- a/tests/check-qjson.c
+++ b/tests/check-qjson.c
@@ -175,6 +175,11 @@ static void utf8_string(void)
            "\xCE\xBA\xE1\xBD\xB9\xCF\x83\xCE\xBC\xCE\xB5",
            "\xCE\xBA\xE1\xBD\xB9\xCF\x83\xCE\xBC\xCE\xB5",
            "\\u03BA\\u1F79\\u03C3\\u03BC\\u03B5",
+        },
+            /* '%' character when not interpolating */
+        {
+            "100%",
+            "100%",
        },
        /* 2  Boundary condition test cases */
        /* 2.1  First possible sequence of a certain length */