scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
[qemu.git] / qga / service-win32.c
1 /*
2 * QEMU Guest Agent helpers for win32 service management
3 *
4 * Copyright IBM Corp. 2012
5 *
6 * Authors:
7 * Gal Hammer <ghammer@redhat.com>
8 * Michael Roth <mdroth@linux.vnet.ibm.com>
9 *
10 * This work is licensed under the terms of the GNU GPL, version 2 or later.
11 * See the COPYING file in the top-level directory.
12 */
13 #include "qemu/osdep.h"
14 #include <glib.h>
15 #include <windows.h>
16 #include "qga/service-win32.h"
17
18 static int printf_win_error(const char *text)
19 {
20 DWORD err = GetLastError();
21 char *message;
22 int n;
23
24 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
25 FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
26 NULL,
27 err,
28 MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
29 (char *)&message, 0,
30 NULL);
31 n = fprintf(stderr, "%s. (Error: %d) %s", text, (int)err, message);
32 LocalFree(message);
33
34 return n;
35 }
36
37 /* Windows command line escaping. Based on
38 * <http://blogs.msdn.com/b/oldnewthing/archive/2010/09/17/10063629.aspx> and
39 * <http://msdn.microsoft.com/en-us/library/windows/desktop/17w5ykft%28v=vs.85%29.aspx>.
40 *
41 * The caller is responsible for initializing @buffer; prior contents are lost.
42 */
43 static const char *win_escape_arg(const char *to_escape, GString *buffer)
44 {
45 size_t backslash_count;
46 const char *c;
47
48 /* open with a double quote */
49 g_string_assign(buffer, "\"");
50
51 backslash_count = 0;
52 for (c = to_escape; *c != '\0'; ++c) {
53 switch (*c) {
54 case '\\':
55 /* The meaning depends on the first non-backslash character coming
56 * up.
57 */
58 ++backslash_count;
59 break;
60
61 case '"':
62 /* We must escape each pending backslash, then escape the double
63 * quote. This creates a case of "odd number of backslashes [...]
64 * followed by a double quotation mark".
65 */
66 while (backslash_count) {
67 --backslash_count;
68 g_string_append(buffer, "\\\\");
69 }
70 g_string_append(buffer, "\\\"");
71 break;
72
73 default:
74 /* Any pending backslashes are without special meaning, flush them.
75 * "Backslashes are interpreted literally, unless they immediately
76 * precede a double quotation mark."
77 */
78 while (backslash_count) {
79 --backslash_count;
80 g_string_append_c(buffer, '\\');
81 }
82 g_string_append_c(buffer, *c);
83 }
84 }
85
86 /* We're about to close with a double quote in string delimiter role.
87 * Double all pending backslashes, creating a case of "even number of
88 * backslashes [...] followed by a double quotation mark".
89 */
90 while (backslash_count) {
91 --backslash_count;
92 g_string_append(buffer, "\\\\");
93 }
94 g_string_append_c(buffer, '"');
95
96 return buffer->str;
97 }
98
99 int ga_install_service(const char *path, const char *logfile,
100 const char *state_dir)
101 {
102 int ret = EXIT_FAILURE;
103 SC_HANDLE manager;
104 SC_HANDLE service;
105 TCHAR module_fname[MAX_PATH];
106 GString *esc;
107 GString *cmdline;
108 SERVICE_DESCRIPTION desc = { (char *)QGA_SERVICE_DESCRIPTION };
109
110 if (GetModuleFileName(NULL, module_fname, MAX_PATH) == 0) {
111 printf_win_error("No full path to service's executable");
112 return EXIT_FAILURE;
113 }
114
115 esc = g_string_new("");
116 cmdline = g_string_new("");
117
118 g_string_append_printf(cmdline, "%s -d",
119 win_escape_arg(module_fname, esc));
120
121 if (path) {
122 g_string_append_printf(cmdline, " -p %s", win_escape_arg(path, esc));
123 }
124 if (logfile) {
125 g_string_append_printf(cmdline, " -l %s -v",
126 win_escape_arg(logfile, esc));
127 }
128 if (state_dir) {
129 g_string_append_printf(cmdline, " -t %s",
130 win_escape_arg(state_dir, esc));
131 }
132
133 g_debug("service's cmdline: %s", cmdline->str);
134
135 manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
136 if (manager == NULL) {
137 printf_win_error("No handle to service control manager");
138 goto out_strings;
139 }
140
141 service = CreateService(manager, QGA_SERVICE_NAME, QGA_SERVICE_DISPLAY_NAME,
142 SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_AUTO_START,
143 SERVICE_ERROR_NORMAL, cmdline->str, NULL, NULL, NULL, NULL, NULL);
144 if (service == NULL) {
145 printf_win_error("Failed to install service");
146 goto out_manager;
147 }
148
149 ChangeServiceConfig2(service, SERVICE_CONFIG_DESCRIPTION, &desc);
150 fprintf(stderr, "Service was installed successfully.\n");
151 ret = EXIT_SUCCESS;
152 CloseServiceHandle(service);
153
154 out_manager:
155 CloseServiceHandle(manager);
156
157 out_strings:
158 g_string_free(cmdline, TRUE);
159 g_string_free(esc, TRUE);
160 return ret;
161 }
162
163 int ga_uninstall_service(void)
164 {
165 SC_HANDLE manager;
166 SC_HANDLE service;
167
168 manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
169 if (manager == NULL) {
170 printf_win_error("No handle to service control manager");
171 return EXIT_FAILURE;
172 }
173
174 service = OpenService(manager, QGA_SERVICE_NAME, DELETE);
175 if (service == NULL) {
176 printf_win_error("No handle to service");
177 CloseServiceHandle(manager);
178 return EXIT_FAILURE;
179 }
180
181 if (DeleteService(service) == FALSE) {
182 printf_win_error("Failed to delete service");
183 } else {
184 fprintf(stderr, "Service was deleted successfully.\n");
185 }
186
187 CloseServiceHandle(service);
188 CloseServiceHandle(manager);
189
190 return EXIT_SUCCESS;
191 }