CVE-2022-39347 - Missing path sanitation with drive channel

2023-10-28 23:26:25 +02:00 · 2023-10-28 23:26:25 +02:00 · eb2c3e598e
commit eb2c3e598e
parent ae332a9e65
3 changed files with 331 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -13,6 +13,7 @@ freerdp2 (2.3.0+dfsg1-2+deb10u4) UNRELEASED; urgency=medium
    - CVE-2022-39316 - Out of bound read in zgfx decoder and
    - CVE-2022-39318 - Division by zero in urbdrc channel
    - CVE-2022-39319 - Missing length validation in urbdrc channel 
+    - CVE-2022-39347 - Missing path sanitation with `drive` channel 

 -- Tobias Frost <tobi@debian.org>  Sat, 28 Oct 2023 18:12:57 +0200

--- a/debian/patches/0056-CVE-2022-39347.patch
+++ b/debian/patches/0056-CVE-2022-39347.patch
@ -0,0 +1,329 @@
+Description: CVE-2022-39347 - Missing path sanitation with `drive` channel
+Origin: https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024511
+From 027424c2c6c0991cb9c22f9511478229c9b17e5d Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 24 Oct 2022 10:41:55 +0200
+Subject: [PATCH] Fixed path validation in drive channel
+
+Check that canonical path is a subpath of the shared directory
+
+(cherry picked from commit 844c94e6d0438fa7bd8ff8d5513c3f69c3018b85)
+---
+ channels/drive/client/drive_file.c | 106 ++++++++++++++++++-----------
+ channels/drive/client/drive_file.h |   8 +--
+ channels/drive/client/drive_main.c |   8 +--
+ 3 files changed, 73 insertions(+), 49 deletions(-)
+
+--- a/channels/drive/client/drive_file.c
+++ b/channels/drive/client/drive_file.c
+@@ -45,6 +45,45 @@
+ 
+ #include "drive_file.h"
+ 
+#include <assert.h>
+
+
+static int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count)
+{
+	assert(string1);
+	assert(string2);
+
+	for (size_t x = 0; x < count; x++)
+	{
+		const WCHAR a = string1[x];
+		const WCHAR b = string2[x];
+
+		if (a != b)
+			return (int)a - b;
+		else if ((a == '\0') || (b == '\0'))
+			return (int)a - b;
+	}
+	return 0;
+}
+
+static WCHAR* _wcsstr(const WCHAR* str, const WCHAR* strSearch)
+{
+	assert(str);
+	assert(strSearch);
+
+	if (strSearch[0] == '\0')
+		return (WCHAR*)str;
+
+	const size_t searchLen = _wcslen(strSearch);
+	while (*str)
+	{
+		if (_wcsncmp(str, strSearch, searchLen) == 0)
+			return (WCHAR*)str;
+		str++;
+	}
+	return NULL;
+}
+
+ #ifdef WITH_DEBUG_RDPDR
+ #define DEBUG_WSTR(msg, wstr)                                            \
+ 	do                                                                   \
+@@ -61,10 +100,14 @@
+ 	} while (0)
+ #endif
+ 
+-static void drive_file_fix_path(WCHAR* path)
+static BOOL drive_file_fix_path(WCHAR* path, size_t length)
+ {
+ 	size_t i;
+-	size_t length = _wcslen(path);
+
+	if ((length == 0) || (length > UINT32_MAX))
+		return FALSE;
+
+	assert(path);
+ 
+ 	for (i = 0; i < length; i++)
+ 	{
+@@ -75,58 +118,82 @@
+ #ifdef WIN32
+ 
+ 	if ((length == 3) && (path[1] == L':') && (path[2] == L'/'))
+-		return;
+		return FALSE;
+ 
+ #else
+ 
+ 	if ((length == 1) && (path[0] == L'/'))
+-		return;
+		return FALSE;
+ 
+ #endif
+ 
+ 	if ((length > 0) && (path[length - 1] == L'/'))
+ 		path[length - 1] = L'\0';
+
+	return TRUE;
+ }
+ 
+ static WCHAR* drive_file_combine_fullpath(const WCHAR* base_path, const WCHAR* path,
+-                                          size_t PathLength)
+                                          size_t PathWCharLength)
+ {
+-	WCHAR* fullpath;
+-	size_t base_path_length;
+	BOOL ok = FALSE;
+	WCHAR* fullpath = NULL;
+	size_t length;
+ 
+-	if (!base_path || (!path && (PathLength > 0)))
+-		return NULL;
+	if (!base_path || (!path && (PathWCharLength > 0)))
+		goto fail;
+ 
+-	base_path_length = _wcslen(base_path) * 2;
+-	fullpath = (WCHAR*)calloc(1, base_path_length + PathLength + sizeof(WCHAR));
+	const size_t base_path_length = _wcsnlen(base_path, MAX_PATH);
+	length = base_path_length + PathWCharLength + 1;
+	fullpath = (WCHAR*)calloc(length, sizeof(WCHAR));
+ 
+ 	if (!fullpath)
+		goto fail;
+
+	CopyMemory(fullpath, base_path, base_path_length * sizeof(WCHAR));
+	if (path)
+		CopyMemory(&fullpath[base_path_length], path, PathWCharLength * sizeof(WCHAR));
+
+	if (!drive_file_fix_path(fullpath, length))
+		goto fail;
+
+	/* Ensure the path does not contain sequences like '..' */
+	const WCHAR dotdot[] = { '.', '.', '\0' };
+	if (_wcsstr(&fullpath[base_path_length], dotdot))
+ 	{
+-		WLog_ERR(TAG, "malloc failed!");
+-		return NULL;
+		char abuffer[MAX_PATH] = { 0 };
+		ConvertFromUnicode(CP_UTF8, 0, &fullpath[base_path_length], -1, (char**)&abuffer,
+		                   ARRAYSIZE(abuffer) - 1, NULL, NULL);
+
+		WLog_WARN(TAG, "[rdpdr] received invalid file path '%s' from server, aborting!",
+		          &abuffer[base_path_length]);
+		goto fail;
+ 	}
+ 
+-	CopyMemory(fullpath, base_path, base_path_length);
+-	if (path)
+-		CopyMemory((char*)fullpath + base_path_length, path, PathLength);
+-	drive_file_fix_path(fullpath);
+	ok = TRUE;
+fail:
+	if (!ok)
+	{
+		free(fullpath);
+		fullpath = NULL;
+	}
+ 	return fullpath;
+ }
+ 
+ static BOOL drive_file_remove_dir(const WCHAR* path)
+ {
+-	WIN32_FIND_DATAW findFileData;
+	WIN32_FIND_DATAW findFileData = { 0 };
+ 	BOOL ret = TRUE;
+-	HANDLE dir;
+-	WCHAR* fullpath;
+-	WCHAR* path_slash;
+-	size_t base_path_length;
+	HANDLE dir = INVALID_HANDLE_VALUE;
+	WCHAR* fullpath = NULL;
+	WCHAR* path_slash = NULL;
+	size_t base_path_length = 0;
+ 
+ 	if (!path)
+ 		return FALSE;
+ 
+-	base_path_length = _wcslen(path) * 2;
+-	path_slash = (WCHAR*)calloc(1, base_path_length + sizeof(WCHAR) * 3);
+	base_path_length = _wcslen(path);
+	path_slash = (WCHAR*)calloc(base_path_length + 3, sizeof(WCHAR));
+ 
+ 	if (!path_slash)
+ 	{
+@@ -134,12 +201,11 @@
+ 		return FALSE;
+ 	}
+ 
+-	CopyMemory(path_slash, path, base_path_length);
+-	path_slash[base_path_length / 2] = L'/';
+-	path_slash[base_path_length / 2 + 1] = L'*';
+	CopyMemory(path_slash, path, base_path_length * sizeof(WCHAR));
+	path_slash[base_path_length] = L'/';
+	path_slash[base_path_length + 1] = L'*';
+ 	DEBUG_WSTR("Search in %s", path_slash);
+ 	dir = FindFirstFileW(path_slash, &findFileData);
+-	path_slash[base_path_length / 2 + 1] = 0;
+ 
+ 	if (dir == INVALID_HANDLE_VALUE)
+ 	{
+@@ -149,7 +215,7 @@
+ 
+ 	do
+ 	{
+-		size_t len = _wcslen(findFileData.cFileName);
+		const size_t len = _wcsnlen(findFileData.cFileName, ARRAYSIZE(findFileData.cFileName));
+ 
+ 		if ((len == 1 && findFileData.cFileName[0] == L'.') ||
+ 		    (len == 2 && findFileData.cFileName[0] == L'.' && findFileData.cFileName[1] == L'.'))
+@@ -157,7 +223,7 @@
+ 			continue;
+ 		}
+ 
+-		fullpath = drive_file_combine_fullpath(path_slash, findFileData.cFileName, len * 2);
+		fullpath = drive_file_combine_fullpath(path_slash, findFileData.cFileName, len);
+ 		DEBUG_WSTR("Delete %s", fullpath);
+ 
+ 		if (findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
+@@ -333,13 +399,13 @@
+ 	return file->file_handle != INVALID_HANDLE_VALUE;
+ }
+ 
+-DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathLength, UINT32 id,
+-                           UINT32 DesiredAccess, UINT32 CreateDisposition, UINT32 CreateOptions,
+-                           UINT32 FileAttributes, UINT32 SharedAccess)
+DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathWCharLength,
+                           UINT32 id, UINT32 DesiredAccess, UINT32 CreateDisposition,
+                           UINT32 CreateOptions, UINT32 FileAttributes, UINT32 SharedAccess)
+ {
+ 	DRIVE_FILE* file;
+ 
+-	if (!base_path || (!path && (PathLength > 0)))
+	if (!base_path || (!path && (PathWCharLength > 0)))
+ 		return NULL;
+ 
+ 	file = (DRIVE_FILE*)calloc(1, sizeof(DRIVE_FILE));
+@@ -359,7 +425,7 @@
+ 	file->CreateDisposition = CreateDisposition;
+ 	file->CreateOptions = CreateOptions;
+ 	file->SharedAccess = SharedAccess;
+-	drive_file_set_fullpath(file, drive_file_combine_fullpath(base_path, path, PathLength));
+	drive_file_set_fullpath(file, drive_file_combine_fullpath(base_path, path, PathWCharLength));
+ 
+ 	if (!drive_file_init(file))
+ 	{
+@@ -714,13 +780,10 @@
+ 				return FALSE;
+ 
+ 			fullpath = drive_file_combine_fullpath(file->basepath, (WCHAR*)Stream_Pointer(input),
+-			                                       FileNameLength);
+			                                       FileNameLength / sizeof(WCHAR));
+ 
+ 			if (!fullpath)
+-			{
+-				WLog_ERR(TAG, "drive_file_combine_fullpath failed!");
+ 				return FALSE;
+-			}
+ 
+ #ifdef _WIN32
+ 
+@@ -759,7 +822,7 @@
+ }
+ 
+ BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYTE InitialQuery,
+-                                const WCHAR* path, UINT32 PathLength, wStream* output)
+                                const WCHAR* path, UINT32 PathWCharLength, wStream* output)
+ {
+ 	size_t length;
+ 	WCHAR* ent_path;
+@@ -773,7 +836,7 @@
+ 		if (file->find_handle != INVALID_HANDLE_VALUE)
+ 			FindClose(file->find_handle);
+ 
+-		ent_path = drive_file_combine_fullpath(file->basepath, path, PathLength);
+		ent_path = drive_file_combine_fullpath(file->basepath, path, PathWCharLength);
+ 		/* open new search handle and retrieve the first entry */
+ 		file->find_handle = FindFirstFileW(ent_path, &file->find_data);
+ 		free(ent_path);
+--- a/channels/drive/client/drive_file.h
+++ b/channels/drive/client/drive_file.h
+@@ -51,9 +51,9 @@
+ 	UINT32 CreateOptions;
+ };
+ 
+-DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathLength, UINT32 id,
+-                           UINT32 DesiredAccess, UINT32 CreateDisposition, UINT32 CreateOptions,
+-                           UINT32 FileAttributes, UINT32 SharedAccess);
+DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathWCharLength,
+                           UINT32 id, UINT32 DesiredAccess, UINT32 CreateDisposition,
+                           UINT32 CreateOptions, UINT32 FileAttributes, UINT32 SharedAccess);
+ BOOL drive_file_free(DRIVE_FILE* file);
+ 
+ BOOL drive_file_open(DRIVE_FILE* file);
+@@ -64,6 +64,6 @@
+ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UINT32 Length,
+                                 wStream* input);
+ BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYTE InitialQuery,
+-                                const WCHAR* path, UINT32 PathLength, wStream* output);
+                                const WCHAR* path, UINT32 PathWCharLength, wStream* output);
+ 
+ #endif /* FREERDP_CHANNEL_DRIVE_FILE_H */
+--- a/channels/drive/client/drive_main.c
+++ b/channels/drive/client/drive_main.c
+@@ -184,8 +184,8 @@
+ 
+ 	path = (const WCHAR*)Stream_Pointer(irp->input);
+ 	FileId = irp->devman->id_sequence++;
+-	file = drive_file_new(drive->path, path, PathLength, FileId, DesiredAccess, CreateDisposition,
+-	                      CreateOptions, FileAttributes, SharedAccess);
+	file = drive_file_new(drive->path, path, PathLength / sizeof(WCHAR), FileId, DesiredAccess,
+	                      CreateDisposition, CreateOptions, FileAttributes, SharedAccess);
+ 
+ 	if (!file)
+ 	{
+@@ -636,8 +636,8 @@
+ 		irp->IoStatus = STATUS_UNSUCCESSFUL;
+ 		Stream_Write_UINT32(irp->output, 0); /* Length */
+ 	}
+-	else if (!drive_file_query_directory(file, FsInformationClass, InitialQuery, path, PathLength,
+-	                                     irp->output))
+	else if (!drive_file_query_directory(file, FsInformationClass, InitialQuery, path,
+	                                     PathLength / sizeof(WCHAR), irp->output))
+ 	{
+ 		irp->IoStatus = drive_map_windows_err(GetLastError());
+ 	}
--- a/debian/patches/series
+++ b/debian/patches/series
@ -45,3 +45,4 @@
 0053-CVE-2022-39316.patch
 0054-CVE-2022-39318.patch
 0055-CVE-2022-39319.patch
+0056-CVE-2022-39347.patch