This series fixes a heap buffer overflow vulnerability in the 9pfs local backend. The vulnerability occurs when handling paths exceeding 65536 bytes, due to the V9fsPath.size field being limited to 16 bits.
The fix consists of: - Changing V9fsPath.size from uint16_t to size_t. - Converting v9fs_path_sprintf() to return int for error handling. - Adding error propagation through all path manipulation functions. Invididual Patches: - Patch 1 is just an additional defensive patch. - Actual fixes are patches 2..4, where patch 2..3 are prepatory, and patch 4 is the actual behaviour fix. - Patch 5 adds a reset function to the virtio test client for the new test to work. - Patch 6 adds a new test to guard this buffer overflow issue. It must be enabled explicitly by -m slow for it to run. More details about this issue: https://gitlab.com/qemu-project/qemu/-/issues/3358 Christian Schoenebeck (6): hw/9pfs: add NULL check in v9fs_path_is_ancestor() hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type hw/9pfs: add error handling to v9fs_fix_path() hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset tests/9pfs: add deep absolute path test fsdev/file-op-9p.h | 2 +- hw/9pfs/9p-local.c | 23 ++++++++---- hw/9pfs/9p.c | 41 +++++++++++++++------ hw/9pfs/9p.h | 4 +-- tests/qtest/libqos/virtio.c | 23 ++++++++++++ tests/qtest/libqos/virtio.h | 2 ++ tests/qtest/virtio-9p-test.c | 69 ++++++++++++++++++++++++++++++++++++ 7 files changed, 144 insertions(+), 20 deletions(-) -- 2.47.3
