From: Jia Jia <physicalmtea@gmail.com>
To: qemu-devel@nongnu.org
Cc: Christian Schoenebeck <qemu_oss@crudebyte.com>,
Greg Kurz <groug@kaod.org>,
qemu-stable@nongnu.org
Subject: [PATCH] 9pfs: fix deep path truncation in V9fsPath
Date: Tue, 28 Apr 2026 15:46:14 +0800 [thread overview]
Message-ID: <20260428074614.3169999-1-physicalmtea@gmail.com> (raw)
V9fsPath.size tracks the length of backend path data. Storing it in a
uint16_t truncates local backend paths longer than 65535 bytes, so later
path copies can end up much smaller than the string data they are
supposed to describe.
A guest can reach this with normal 9p filesystem operations by creating
and walking a sufficiently deep directory tree on the local backend. On
an ASan build, calling readdir() in that deep directory aborts the host
process with:
ERROR: AddressSanitizer: heap-buffer-overflow
#0 __interceptor_strrchr
#1 g_path_get_dirname
#2 local_lstat
#3 v9fs_co_lstat
#4 v9fs_getattr
Fix this by storing V9fsPath lengths in size_t.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3358
Cc: qemu-stable@nongnu.org
Signed-off-by: Jia Jia <physicalmtea@gmail.com>
---
Runtime reproducer:
confirmed on current master (11.0.50) with an x86_64 ASan build and a
local 9p backend
guest actions:
- mount the 9p share
- create a 260-level directory tree with 255-byte names
- walk back to the deepest directory
- call readdir()
host abort:
ERROR: AddressSanitizer: heap-buffer-overflow
#0 __interceptor_strrchr
#1 g_path_get_dirname
#2 local_lstat
#3 v9fs_co_lstat
#4 v9fs_getattr
fsdev/file-op-9p.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
index b85c9934def..e8d0661c4b5 100644
--- a/fsdev/file-op-9p.h
+++ b/fsdev/file-op-9p.h
@@ -112,7 +112,7 @@ struct FsContext {
};
struct V9fsPath {
- uint16_t size;
+ size_t size;
char *data;
};
P9ARRAY_DECLARE_TYPE(V9fsPath);
--
2.34.1
next reply other threads:[~2026-04-28 13:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 7:46 Jia Jia [this message]
2026-04-28 8:21 ` Please ignore my [PATCH] 9pfs: fix deep path truncation in V9fsPath Jia Jia
2026-04-30 8:57 ` Christian Schoenebeck
2026-04-30 12:52 ` Jia Jia
2026-05-04 10:30 ` Christian Schoenebeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428074614.3169999-1-physicalmtea@gmail.com \
--to=physicalmtea@gmail.com \
--cc=groug@kaod.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=qemu_oss@crudebyte.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.