Re: [Qemu-devel] [PATCH 0/3] usb-mtp: fix ObjectInfo request handling

[Peter Maydell]

On Tue, 16 Apr 2019 at 18:27, Peter Maydell <address@hidden> wrote:
>
> On Tue, 16 Apr 2019 at 14:35, Peter Maydell <address@hidden> wrote:
> >
> > On Mon, 15 Apr 2019 at 16:45, Daniel P. Berrangé <address@hidden> wrote:
> > >
> > > Two previous attempts to fix this due to GCC 9 highlighting
> > > unaligned data access. My attempt:
> > >
> > >   https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg07763.html
> > >
> > > And a previous one:
> > >
> > >   https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg07923.html
> > >   https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg00162.html
> > >
> > > There are a number of bugs in the USB MTP usb_mtp_write_metadata
> > > method handling the filename character set conversion.
> > >
> > > The 2nd patch in this series is a security flaw fix since the
> > > code was not correctly validating guest provided data length.
> >
> > Given that we don't seem to be confident in this fix just now,
> > and this is a read-only buffer overrun in a not-commonly-used
> > feature that only happens if you explicitly enable write support,
> > my current thought is that we should not try to put this into 4.0
> > (but instead treat it as we would a security issue that had
> > occurred after we released 4.0).
> >
> > Opinions? Maybe we should just apply patch 2/3 for 4.0 ?
>
> Having thought a bit more I think I'd definitely like to apply
> just patch 2 for 4.0. Could people try to test that and confirm
> that it at least does not make the feature behave any worse?

I've done a tentative merge test of patch 2, which is OK.
I'd like to push that either today or tomorrow (uk time):
objections?

thanks
-- PMM