On Monday, 18 May 2026 19:40:34 CEST Christian Schoenebeck wrote: > This series fixes a heap buffer overflow vulnerability in the 9pfs local > backend. The vulnerability occurs when handling paths exceeding 65536 bytes, > due to the V9fsPath.size field being limited to 16 bits. > > The fix consists of: > > - Changing V9fsPath.size from uint16_t to size_t. > - Converting v9fs_path_sprintf() to return int for error handling. > - Adding error propagation through all path manipulation functions. > > Invididual Patches: > > - Patch 1 is just an additional defensive patch. > > - Actual fixes are patches 2..4, where patch 2..3 are prepatory, and > patch 4 is the actual behaviour fix. > > - Patch 5 adds a reset function to the virtio test client for the new > test to work. > > - Patch 6 adds a new test to guard this buffer overflow issue. > It must be enabled explicitly by -m slow for it to run. > > More details about this issue: > https://gitlab.com/qemu-project/qemu/-/issues/3358
Queued on 9p.next: https://github.com/cschoenebeck/qemu/commits/9p.next Thanks! /Christian > Christian Schoenebeck (6): > hw/9pfs: add NULL check in v9fs_path_is_ancestor() > hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return > type > hw/9pfs: add error handling to v9fs_fix_path() > hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle > errors > tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool > reset > tests/9pfs: add deep absolute path test > > fsdev/file-op-9p.h | 2 +- > hw/9pfs/9p-local.c | 23 ++++++++---- > hw/9pfs/9p.c | 41 +++++++++++++++------ > hw/9pfs/9p.h | 4 +-- > tests/qtest/libqos/virtio.c | 23 ++++++++++++ > tests/qtest/libqos/virtio.h | 2 ++ > tests/qtest/virtio-9p-test.c | 69 ++++++++++++++++++++++++++++++++++++ > 7 files changed, 144 insertions(+), 20 deletions(-)
