On Friday, 13 February 2026 10:56:05 CET Christian Schoenebeck wrote: > From: Oliver Chang <[email protected]> > > When `v9fs_complete_rename` is called with `newdirfid == -1`, it attempts to > derive the directory name from `fidp->path.data` using > `g_path_get_dirname`. This logic assumes that `fidp->path.data` always > contains a null-terminated string representing a pathname. > > While this assumption holds for the 'local' backend, the 'synth' backend > stores a `V9fsSynthNode *` pointer directly in the `V9fsPath.data` buffer. > When using 'synth', `g_path_get_dirname` treats this pointer as a string, > often resulting in a short string like ".". > > The subsequent call to `v9fs_co_name_to_path` invokes `synth_name_to_path`, > which expects `dir_path.data` to contain a `V9fsSynthNode *`. It attempts to > read 8 bytes (on 64-bit) from the buffer. If `g_path_get_dirname` returned > a short string, this results in a heap-buffer-overflow read. > > Fix this by checking for the `V9FS_PATHNAME_FSCONTEXT` flag in the export > flags. This flag indicates that the backend supports string-based pathnames. > If it is not set (as in the 'synth' backend), return `-EOPNOTSUPP` to > prevent invalid memory access. > > Co-authored-by: CodeMender <[email protected]> > Fixes: https://issues.oss-fuzz.com/issues/477990727 > ---
Oliver, IIUIC your patch was auto generated by A.I. and AFAICS QEMU's current policies forbid any A.I. generated contributions in general: https://www.qemu.org/docs/master/devel/code-provenance.html#use-of-ai-generated-content It is also missing a Signed-off-by: tag BTW. Technically the patch should better be generalized anyway, at least by moving the V9FS_PATHNAME_FSCONTEXT check to the beginning of the function, as renaming is only possible with pathname-based fs drivers. Peter, would that be sane enough or would such a v2 patch considered as "derived from A.I content" as well? /Christian > hw/9pfs/9p.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c > index 6fbe604ce8..546e70f75c 100644 > --- a/hw/9pfs/9p.c > +++ b/hw/9pfs/9p.c > @@ -3310,9 +3310,16 @@ static int coroutine_fn v9fs_complete_rename(V9fsPDU > *pdu, V9fsFidState *fidp, goto out; > } > } else { > - char *dir_name = g_path_get_dirname(fidp->path.data); > + char *dir_name; > V9fsPath dir_path; > > + if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) { > + /* path renaming is only supported for path based fid */ > + err = -EOPNOTSUPP; > + goto out; > + } > + > + dir_name = g_path_get_dirname(fidp->path.data); > v9fs_path_init(&dir_path); > v9fs_path_sprintf(&dir_path, "%s", dir_name); > g_free(dir_name);
