scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
[qemu.git] / qga / vss-win32 / install.cpp
1 /*
2 * QEMU Guest Agent win32 VSS Provider installer
3 *
4 * Copyright Hitachi Data Systems Corp. 2013
5 *
6 * Authors:
7 * Tomoki Sekiyama <tomoki.sekiyama@hds.com>
8 *
9 * This work is licensed under the terms of the GNU GPL, version 2 or later.
10 * See the COPYING file in the top-level directory.
11 */
12
13 #include "qemu/osdep.h"
14
15 #include "vss-common.h"
16 #include "inc/win2003/vscoordint.h"
17
18 #include <comadmin.h>
19 #include <wbemidl.h>
20 #include <comdef.h>
21 #include <comutil.h>
22
23 extern HINSTANCE g_hinstDll;
24
25 const GUID CLSID_COMAdminCatalog = { 0xF618C514, 0xDFB8, 0x11d1,
26 {0xA2, 0xCF, 0x00, 0x80, 0x5F, 0xC7, 0x92, 0x35} };
27 const GUID IID_ICOMAdminCatalog2 = { 0x790C6E0B, 0x9194, 0x4cc9,
28 {0x94, 0x26, 0xA4, 0x8A, 0x63, 0x18, 0x56, 0x96} };
29 const GUID CLSID_WbemLocator = { 0x4590f811, 0x1d3a, 0x11d0,
30 {0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24} };
31 const GUID IID_IWbemLocator = { 0xdc12a687, 0x737f, 0x11cf,
32 {0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24} };
33
34 void errmsg(DWORD err, const char *text)
35 {
36 /*
37 * `text' contains function call statement when errmsg is called via chk().
38 * To make error message more readable, we cut off the text after '('.
39 * If text doesn't contains '(', negative precision is given, which is
40 * treated as though it were missing.
41 */
42 char *msg = NULL, *nul = strchr(text, '(');
43 int len = nul ? nul - text : -1;
44
45 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
46 FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
47 NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
48 (char *)&msg, 0, NULL);
49 fprintf(stderr, "%.*s. (Error: %lx) %s\n", len, text, err, msg);
50 LocalFree(msg);
51 }
52
53 static void errmsg_dialog(DWORD err, const char *text, const char *opt = "")
54 {
55 char *msg, buf[512];
56
57 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
58 FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
59 NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
60 (char *)&msg, 0, NULL);
61 snprintf(buf, sizeof(buf), "%s%s. (Error: %lx) %s", text, opt, err, msg);
62 MessageBox(NULL, buf, "Error from " QGA_PROVIDER_NAME, MB_OK|MB_ICONERROR);
63 LocalFree(msg);
64 }
65
66 #define _chk(hr, status, msg, err_label) \
67 do { \
68 hr = (status); \
69 if (FAILED(hr)) { \
70 errmsg(hr, msg); \
71 goto err_label; \
72 } \
73 } while (0)
74
75 #define chk(status) _chk(hr, status, "Failed to " #status, out)
76
77 #if !defined(__MINGW64_VERSION_MAJOR) || !defined(__MINGW64_VERSION_MINOR) || \
78 __MINGW64_VERSION_MAJOR * 100 + __MINGW64_VERSION_MINOR < 301
79 void __stdcall _com_issue_error(HRESULT hr)
80 {
81 errmsg(hr, "Unexpected error in COM");
82 }
83 #endif
84
85 template<class T>
86 HRESULT put_Value(ICatalogObject *pObj, LPCWSTR name, T val)
87 {
88 return pObj->put_Value(_bstr_t(name), _variant_t(val));
89 }
90
91 /* Lookup Administrators group name from winmgmt */
92 static HRESULT GetAdminName(_bstr_t *name)
93 {
94 HRESULT hr;
95 COMPointer<IWbemLocator> pLoc;
96 COMPointer<IWbemServices> pSvc;
97 COMPointer<IEnumWbemClassObject> pEnum;
98 COMPointer<IWbemClassObject> pWobj;
99 ULONG returned;
100 _variant_t var;
101
102 chk(CoCreateInstance(CLSID_WbemLocator, NULL, CLSCTX_INPROC_SERVER,
103 IID_IWbemLocator, (LPVOID *)pLoc.replace()));
104 chk(pLoc->ConnectServer(_bstr_t(L"ROOT\\CIMV2"), NULL, NULL, NULL,
105 0, 0, 0, pSvc.replace()));
106 chk(CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE,
107 NULL, RPC_C_AUTHN_LEVEL_CALL,
108 RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE));
109 chk(pSvc->ExecQuery(_bstr_t(L"WQL"),
110 _bstr_t(L"select * from Win32_Account where "
111 "SID='S-1-5-32-544' and localAccount=TRUE"),
112 WBEM_FLAG_RETURN_IMMEDIATELY | WBEM_FLAG_FORWARD_ONLY,
113 NULL, pEnum.replace()));
114 if (!pEnum) {
115 hr = E_FAIL;
116 errmsg(hr, "Failed to query for Administrators");
117 goto out;
118 }
119 chk(pEnum->Next(WBEM_INFINITE, 1, pWobj.replace(), &returned));
120 if (returned == 0) {
121 hr = E_FAIL;
122 errmsg(hr, "No Administrators found");
123 goto out;
124 }
125
126 chk(pWobj->Get(_bstr_t(L"Name"), 0, &var, 0, 0));
127 try {
128 *name = var;
129 } catch(...) {
130 hr = E_FAIL;
131 errmsg(hr, "Failed to get name of Administrators");
132 goto out;
133 }
134
135 out:
136 return hr;
137 }
138
139 /* Find and iterate QGA VSS provider in COM+ Application Catalog */
140 static HRESULT QGAProviderFind(
141 HRESULT (*found)(ICatalogCollection *, int, void *), void *arg)
142 {
143 HRESULT hr;
144 COMInitializer initializer;
145 COMPointer<IUnknown> pUnknown;
146 COMPointer<ICOMAdminCatalog2> pCatalog;
147 COMPointer<ICatalogCollection> pColl;
148 COMPointer<ICatalogObject> pObj;
149 _variant_t var;
150 long i, n;
151
152 chk(CoCreateInstance(CLSID_COMAdminCatalog, NULL, CLSCTX_INPROC_SERVER,
153 IID_IUnknown, (void **)pUnknown.replace()));
154 chk(pUnknown->QueryInterface(IID_ICOMAdminCatalog2,
155 (void **)pCatalog.replace()));
156 chk(pCatalog->GetCollection(_bstr_t(L"Applications"),
157 (IDispatch **)pColl.replace()));
158 chk(pColl->Populate());
159
160 chk(pColl->get_Count(&n));
161 for (i = n - 1; i >= 0; i--) {
162 chk(pColl->get_Item(i, (IDispatch **)pObj.replace()));
163 chk(pObj->get_Value(_bstr_t(L"Name"), &var));
164 if (var == _variant_t(QGA_PROVIDER_LNAME)) {
165 if (FAILED(found(pColl, i, arg))) {
166 goto out;
167 }
168 }
169 }
170 chk(pColl->SaveChanges(&n));
171
172 out:
173 return hr;
174 }
175
176 /* Count QGA VSS provider in COM+ Application Catalog */
177 static HRESULT QGAProviderCount(ICatalogCollection *coll, int i, void *arg)
178 {
179 (*(int *)arg)++;
180 return S_OK;
181 }
182
183 /* Remove QGA VSS provider from COM+ Application Catalog Collection */
184 static HRESULT QGAProviderRemove(ICatalogCollection *coll, int i, void *arg)
185 {
186 HRESULT hr;
187
188 fprintf(stderr, "Removing COM+ Application: %s\n", QGA_PROVIDER_NAME);
189 chk(coll->Remove(i));
190 out:
191 return hr;
192 }
193
194 /* Unregister this module from COM+ Applications Catalog */
195 STDAPI COMUnregister(void)
196 {
197 HRESULT hr;
198
199 DllUnregisterServer();
200 chk(QGAProviderFind(QGAProviderRemove, NULL));
201 out:
202 return hr;
203 }
204
205 /* Register this module to COM+ Applications Catalog */
206 STDAPI COMRegister(void)
207 {
208 HRESULT hr;
209 COMInitializer initializer;
210 COMPointer<IUnknown> pUnknown;
211 COMPointer<ICOMAdminCatalog2> pCatalog;
212 COMPointer<ICatalogCollection> pApps, pRoles, pUsersInRole;
213 COMPointer<ICatalogObject> pObj;
214 long n;
215 _bstr_t name;
216 _variant_t key;
217 CHAR dllPath[MAX_PATH], tlbPath[MAX_PATH];
218 bool unregisterOnFailure = false;
219 int count = 0;
220
221 if (!g_hinstDll) {
222 errmsg(E_FAIL, "Failed to initialize DLL");
223 return E_FAIL;
224 }
225
226 chk(QGAProviderFind(QGAProviderCount, (void *)&count));
227 if (count) {
228 errmsg(E_ABORT, "QGA VSS Provider is already installed");
229 return E_ABORT;
230 }
231
232 chk(CoCreateInstance(CLSID_COMAdminCatalog, NULL, CLSCTX_INPROC_SERVER,
233 IID_IUnknown, (void **)pUnknown.replace()));
234 chk(pUnknown->QueryInterface(IID_ICOMAdminCatalog2,
235 (void **)pCatalog.replace()));
236
237 /* Install COM+ Component */
238
239 chk(pCatalog->GetCollection(_bstr_t(L"Applications"),
240 (IDispatch **)pApps.replace()));
241 chk(pApps->Populate());
242 chk(pApps->Add((IDispatch **)&pObj));
243 chk(put_Value(pObj, L"Name", QGA_PROVIDER_LNAME));
244 chk(put_Value(pObj, L"Description", QGA_PROVIDER_LNAME));
245 chk(put_Value(pObj, L"ApplicationAccessChecksEnabled", true));
246 chk(put_Value(pObj, L"Authentication", short(6)));
247 chk(put_Value(pObj, L"AuthenticationCapability", short(2)));
248 chk(put_Value(pObj, L"ImpersonationLevel", short(2)));
249 chk(pApps->SaveChanges(&n));
250
251 /* The app should be deleted if something fails after SaveChanges */
252 unregisterOnFailure = true;
253
254 chk(pObj->get_Key(&key));
255
256 if (!GetModuleFileName(g_hinstDll, dllPath, sizeof(dllPath))) {
257 hr = HRESULT_FROM_WIN32(GetLastError());
258 errmsg(hr, "GetModuleFileName failed");
259 goto out;
260 }
261 n = strlen(dllPath);
262 if (n < 3) {
263 hr = E_FAIL;
264 errmsg(hr, "Failed to lookup dll");
265 goto out;
266 }
267 strcpy(tlbPath, dllPath);
268 strcpy(tlbPath+n-3, "tlb");
269 fprintf(stderr, "Registering " QGA_PROVIDER_NAME ":\n");
270 fprintf(stderr, " %s\n", dllPath);
271 fprintf(stderr, " %s\n", tlbPath);
272 if (!PathFileExists(tlbPath)) {
273 hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
274 errmsg(hr, "Failed to lookup tlb");
275 goto out;
276 }
277
278 chk(pCatalog->CreateServiceForApplication(
279 _bstr_t(QGA_PROVIDER_LNAME), _bstr_t(QGA_PROVIDER_LNAME),
280 _bstr_t(L"SERVICE_AUTO_START"), _bstr_t(L"SERVICE_ERROR_NORMAL"),
281 _bstr_t(L""), _bstr_t(L".\\localsystem"), _bstr_t(L""), FALSE));
282 chk(pCatalog->InstallComponent(_bstr_t(QGA_PROVIDER_LNAME),
283 _bstr_t(dllPath), _bstr_t(tlbPath),
284 _bstr_t("")));
285
286 /* Setup roles of the applicaion */
287
288 chk(pApps->GetCollection(_bstr_t(L"Roles"), key,
289 (IDispatch **)pRoles.replace()));
290 chk(pRoles->Populate());
291 chk(pRoles->Add((IDispatch **)pObj.replace()));
292 chk(put_Value(pObj, L"Name", L"Administrators"));
293 chk(put_Value(pObj, L"Description", L"Administrators group"));
294 chk(pRoles->SaveChanges(&n));
295 chk(pObj->get_Key(&key));
296
297 /* Setup users in the role */
298
299 chk(pRoles->GetCollection(_bstr_t(L"UsersInRole"), key,
300 (IDispatch **)pUsersInRole.replace()));
301 chk(pUsersInRole->Populate());
302
303 chk(pUsersInRole->Add((IDispatch **)pObj.replace()));
304 chk(GetAdminName(&name));
305 chk(put_Value(pObj, L"User", _bstr_t(".\\") + name));
306
307 chk(pUsersInRole->Add((IDispatch **)pObj.replace()));
308 chk(put_Value(pObj, L"User", L"SYSTEM"));
309 chk(pUsersInRole->SaveChanges(&n));
310
311 out:
312 if (unregisterOnFailure && FAILED(hr)) {
313 COMUnregister();
314 }
315
316 return hr;
317 }
318
319
320 static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
321 {
322 HKEY hKey;
323 LONG ret;
324 DWORD size;
325
326 ret = RegCreateKeyEx(HKEY_CLASSES_ROOT, key, 0, NULL,
327 REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKey, NULL);
328 if (ret != ERROR_SUCCESS) {
329 goto out;
330 }
331
332 if (data != NULL) {
333 size = strlen(data) + 1;
334 } else {
335 size = 0;
336 }
337
338 ret = RegSetValueEx(hKey, value, 0, REG_SZ, (LPBYTE)data, size);
339 RegCloseKey(hKey);
340
341 out:
342 if (ret != ERROR_SUCCESS) {
343 /* As we cannot printf within DllRegisterServer(), show a dialog. */
344 errmsg_dialog(ret, "Cannot add registry", key);
345 return FALSE;
346 }
347 return TRUE;
348 }
349
350 /* Register this dll as a VSS provider */
351 STDAPI DllRegisterServer(void)
352 {
353 COMInitializer initializer;
354 COMPointer<IVssAdmin> pVssAdmin;
355 HRESULT hr = E_FAIL;
356 char dllPath[MAX_PATH];
357 char key[256];
358
359 if (!g_hinstDll) {
360 errmsg_dialog(hr, "Module instance is not available");
361 goto out;
362 }
363
364 /* Add this module to registery */
365
366 sprintf(key, "CLSID\\%s", g_szClsid);
367 if (!CreateRegistryKey(key, NULL, g_szClsid)) {
368 goto out;
369 }
370
371 if (!GetModuleFileName(g_hinstDll, dllPath, sizeof(dllPath))) {
372 errmsg_dialog(GetLastError(), "GetModuleFileName failed");
373 goto out;
374 }
375
376 sprintf(key, "CLSID\\%s\\InprocServer32", g_szClsid);
377 if (!CreateRegistryKey(key, NULL, dllPath)) {
378 goto out;
379 }
380
381 if (!CreateRegistryKey(key, "ThreadingModel", "Apartment")) {
382 goto out;
383 }
384
385 sprintf(key, "CLSID\\%s\\ProgID", g_szClsid);
386 if (!CreateRegistryKey(key, NULL, g_szProgid)) {
387 goto out;
388 }
389
390 if (!CreateRegistryKey(g_szProgid, NULL, QGA_PROVIDER_NAME)) {
391 goto out;
392 }
393
394 sprintf(key, "%s\\CLSID", g_szProgid);
395 if (!CreateRegistryKey(key, NULL, g_szClsid)) {
396 goto out;
397 }
398
399 hr = CoCreateInstance(CLSID_VSSCoordinator, NULL, CLSCTX_ALL,
400 IID_IVssAdmin, (void **)pVssAdmin.replace());
401 if (FAILED(hr)) {
402 errmsg_dialog(hr, "CoCreateInstance(VSSCoordinator) failed");
403 goto out;
404 }
405
406 hr = pVssAdmin->RegisterProvider(g_gProviderId, CLSID_QGAVSSProvider,
407 const_cast<WCHAR*>(QGA_PROVIDER_LNAME),
408 VSS_PROV_SOFTWARE,
409 const_cast<WCHAR*>(QGA_PROVIDER_VERSION),
410 g_gProviderVersion);
411 if (FAILED(hr)) {
412 errmsg_dialog(hr, "RegisterProvider failed");
413 }
414
415 out:
416 if (FAILED(hr)) {
417 DllUnregisterServer();
418 }
419
420 return hr;
421 }
422
423 /* Unregister this VSS hardware provider from the system */
424 STDAPI DllUnregisterServer(void)
425 {
426 TCHAR key[256];
427 COMInitializer initializer;
428 COMPointer<IVssAdmin> pVssAdmin;
429
430 HRESULT hr = CoCreateInstance(CLSID_VSSCoordinator,
431 NULL, CLSCTX_ALL, IID_IVssAdmin,
432 (void **)pVssAdmin.replace());
433 if (SUCCEEDED(hr)) {
434 hr = pVssAdmin->UnregisterProvider(g_gProviderId);
435 } else {
436 errmsg(hr, "CoCreateInstance(VSSCoordinator) failed");
437 }
438
439 sprintf(key, "CLSID\\%s", g_szClsid);
440 SHDeleteKey(HKEY_CLASSES_ROOT, key);
441 SHDeleteKey(HKEY_CLASSES_ROOT, g_szProgid);
442
443 return S_OK; /* Uninstall should never fail */
444 }
445
446
447 /* Support function to convert ASCII string into BSTR (used in _bstr_t) */
448 namespace _com_util
449 {
450 BSTR WINAPI ConvertStringToBSTR(const char *ascii) {
451 int len = strlen(ascii);
452 BSTR bstr = SysAllocStringLen(NULL, len);
453
454 if (!bstr) {
455 return NULL;
456 }
457
458 if (mbstowcs(bstr, ascii, len) == (size_t)-1) {
459 fprintf(stderr, "Failed to convert string '%s' into BSTR", ascii);
460 bstr[0] = 0;
461 }
462 return bstr;
463 }
464 }