From nobody Mon Feb  9 19:05:57 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=philmd@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1619799945; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Hpgg8kvhrrDmGewXAbezusl9ZBJWYKQaX2jtIKx5VFb3V0VXB2/Qg2+0zskE+OY0aNpyWi8j80FNrGPkYv8ywCysWzI74gruYN5Ntsq2QqeH3LE9fclqzhPWzKLn9v5GJbKwvSyukHSl+xyV/d++UjN2lnNEk8Q18NJRkUOVr9I=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1619799945;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
	bh=x+OIPAe+ZugW3+KVtHomkd7n7xZ7F3mqZnG+KoZoeOk=;
	b=awWbIAxq2NYhIrkoDqTW86VOPZ/HQvEGfCxb4Fxk6UzVyX9178TPx0l8hDNkQxQW05T3CGYE4l4q2JtVHHqlnY50gqX/+YJJbIveddUOwPg39QmttOn4TOhYaZxEuPNbdTPcQveLqZTR0ms4KBwZEsSCuzWcnG4u0rJTBAxLKxQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=philmd@redhat.com;
	dmarc=pass header.from=<philmd@redhat.com> (p=none dis=none)
 header.from=<philmd@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1619799945777908.4386388635223;
 Fri, 30 Apr 2021 09:25:45 -0700 (PDT)
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com
 [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-489-apOtu2glNcCGtYDRMdylOA-1; Fri, 30 Apr 2021 12:25:42 -0400
Received: by mail-wr1-f69.google.com with SMTP id
 61-20020adf84430000b029010b4cd88298so8606587wrf.21
        for <importer@patchew.org>; Fri, 30 Apr 2021 09:25:42 -0700 (PDT)
Return-Path: <philmd@redhat.com>
Return-Path: <philmd@redhat.com>
Received: from localhost.localdomain
 (anancy-651-1-208-144.w109-217.abo.wanadoo.fr. [109.217.237.144])
        by smtp.gmail.com with ESMTPSA id
 r2sm2640793wrt.79.2021.04.30.09.25.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Apr 2021 09:25:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1619799944;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=x+OIPAe+ZugW3+KVtHomkd7n7xZ7F3mqZnG+KoZoeOk=;
	b=N1fAe7Sm+0vpF0u32q3y84nNJgjbuS0JO5tkNb0bqWE8L1t9OHKGPPE41x4G9ZvuujAnpb
	S2/k51vRoy4e/Fc+CKhP8EoFCorjIrwaBqk4Rsm8QzrVNgBHmzQ73/HoDYsYRxfu0SLQ6O
	CqaAD35Gc5eJApM0vfo4n0lMewaNQdc=
X-MC-Unique: apOtu2glNcCGtYDRMdylOA-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=x+OIPAe+ZugW3+KVtHomkd7n7xZ7F3mqZnG+KoZoeOk=;
        b=YDV0yFdi4OyTZQVMCbD3eIlIKubuOnmFAwiR8wUwJjGU/m7OGHbIi2wQOtdgDwoiit
         uQD234KrWpqAXKJRCSeEW81zNGoM8K3BlY0RZHW6QjDKTMfhdGhQtcnkHMrZ3RTZoJE0
         j9W5HzECOEB7+rr6WNzxSiAFkvNzuDeOKalT/ekN7PzNBysphri7Uz972RJgP/mD9b+5
         nerMs6mpdJcZftVwVXg6RE7g47lZHfo1PfYVdIaOa0RLUdfhnaq41RtkqnTx/aern19k
         +vQuKOfQtsk+BRMKw87sDbFzOxKekqY0Cp3HTQmJFSmhIS9wkgRRc7gQwQSs1Etbz3lw
         0Lsg==
X-Gm-Message-State: AOAM530O8ZzEIbJvGMp0KiAYECu4euY5thxSr7WqQMt4ZQcvu1qZ01bS
	WAqvsyzyEM5QjzPC/EFt6NurbVXNVIVj0pSxbt3IHwausNHxnzlWqbLr/vkDMbjpLhrkBmUlmSa
	ypo6W4esL3+Sv0A==
X-Received: by 2002:adf:9d88:: with SMTP id p8mr8017177wre.138.1619799941473;
        Fri, 30 Apr 2021 09:25:41 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJymAOSGNRE0wyn7BwTZXJQntlyr39AwxDWGk6v7Qbj8do3Bzf53f9m4Awcfw77Gd/yJos5rdg==
X-Received: by 2002:adf:9d88:: with SMTP id p8mr8017163wre.138.1619799941367;
        Fri, 30 Apr 2021 09:25:41 -0700 (PDT)
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: Max Reitz <mreitz@redhat.com>,
	Kevin Wolf <kwolf@redhat.com>,
	Johannes Schindelin <johannes.schindelin@gmx.de>,
	qemu-block@nongnu.org,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Subject: [PATCH 4/4] block/vvfat: Avoid out of bounds write in
 create_long_filename()
Date: Fri, 30 Apr 2021 18:25:19 +0200
Message-Id: <20210430162519.271607-5-philmd@redhat.com>
X-Mailer: git-send-email 2.26.3
In-Reply-To: <20210430162519.271607-1-philmd@redhat.com>
References: <20210430162519.271607-1-philmd@redhat.com>
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)

The direntry_t::name holds 11 bytes:

  typedef struct direntry_t {
      uint8_t name[8 + 3];
      ...

However create_long_filename() writes up to 31 bytes into it:

 421     for(i=3D0;i<26*number_of_entries;i++) {
 422         int offset=3D(i%26);
 423         if(offset<10) offset=3D1+offset;
 424         else if(offset<22) offset=3D14+offset-10;
 425         else offset=3D28+offset-22;
 426         entry=3Darray_get(&(s->directory),s->directory.next-1-(i/26));
 427         if (i >=3D 2 * length + 2) {
 428             entry->name[offset] =3D 0xff;
 429         } else if (i % 2 =3D=3D 0) {
 430             entry->name[offset] =3D longname[i / 2] & 0xff;
 431         } else {
 432             entry->name[offset] =3D longname[i / 2] >> 8;
 433         }
 434     }

For example, if i=3D25, offset=3D28+25-22=3D31

Then in lines 428, 430 and 432 the entry->name[] array is written beside
its 11 bytes, as reported by Clang sanitizer:

  block/vvfat.c:430:13: runtime error: index 14 out of bounds for type 'uin=
t8_t [11]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior block/vvfat.c:430=
:13 in
  block/vvfat.c:432:13: runtime error: index 15 out of bounds for type 'uin=
t8_t [11]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior block/vvfat.c:432=
:13 in
  block/vvfat.c:428:13: runtime error: index 18 out of bounds for type 'uin=
t8_t [11]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior block/vvfat.c:428=
:13 in

As I have no idea about what this code does, simply skip the writes if
out of range, since it is not worst than what we have currently (and
my tests using vvfat work identically).

Fixes: de167e416fa ("Virtual VFAT support (Johannes Schindelin)")
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
---
 block/vvfat.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/vvfat.c b/block/vvfat.c
index c193a816646..c7162e77d68 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -423,6 +423,9 @@ static direntry_t *create_long_filename(BDRVVVFATState =
*s, const char *filename)
         if(offset<10) offset=3D1+offset;
         else if(offset<22) offset=3D14+offset-10;
         else offset=3D28+offset-22;
+        if (offset >=3D ARRAY_SIZE(entry->name)) {
+            continue;
+        }
         entry=3Darray_get(&(s->directory),s->directory.next-1-(i/26));
         if (i >=3D 2 * length + 2) {
             entry->name[offset] =3D 0xff;
--=20
2.26.3