From: Nguyen Dinh Phi <phind.uet@gmail.com>
Currently, the readline_insert_char() function is guarded by the cursor
position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size).
The current check is:
if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)
This logic is flawed because if the command buffer is full and a user moves the
cursor backward (e.g. by sending left arrow key), cmd_buf_index can be
decreased without descreasing of buffer size.
This allow subsequent insertions to increase cmd_buf_size past its maximum
limit of rs->cmd_buf.
Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is
immediately followed by the cmd_buf_index integer, once the buffer size is
sufficiently inflated, the memmove() operation inside readline_insert_char()
can write past the end of cmd_buf[] and overwrites cmd_buf_index itself.
The subsequent line:
rs->cmd_buf[rs->cmd_buf_index] = ch;
then writes the input character to an address determined by the now-corrupted
index.
By providing a specifically crafted input sequence via HMP, this flaw can be
used to redirect the write operation to overwrite any field within the
ReadLineState structure, which can lead to unpredictable behavior or
application crashes.
Fix this by adding the guard to check for buffer fullness.
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
---
util/readline.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
---
V2:
use assert() to check the value of cmd_buf_index before the
insertion.
diff --git a/util/readline.c b/util/readline.c
index 0f19674f52..e2664e48ca 100644
--- a/util/readline.c
+++ b/util/readline.c
@@ -84,7 +84,9 @@ static void readline_update(ReadLineState *rs)
static void readline_insert_char(ReadLineState *rs, int ch)
{
- if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {
+ assert(rs->cmd_buf_index <= rs->cmd_buf_size);
+
+ if (rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {
memmove(rs->cmd_buf + rs->cmd_buf_index + 1,
rs->cmd_buf + rs->cmd_buf_index,
rs->cmd_buf_size - rs->cmd_buf_index);
--
2.43.0Hi
On Mon, Apr 6, 2026 at 9:05 AM <phind.uet@gmail.com> wrote:
>
> From: Nguyen Dinh Phi <phind.uet@gmail.com>
>
> Currently, the readline_insert_char() function is guarded by the cursor
> position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size).
> The current check is:
> if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)
>
> This logic is flawed because if the command buffer is full and a user moves the
> cursor backward (e.g. by sending left arrow key), cmd_buf_index can be
> decreased without descreasing of buffer size.
> This allow subsequent insertions to increase cmd_buf_size past its maximum
> limit of rs->cmd_buf.
>
> Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is
> immediately followed by the cmd_buf_index integer, once the buffer size is
> sufficiently inflated, the memmove() operation inside readline_insert_char()
> can write past the end of cmd_buf[] and overwrites cmd_buf_index itself.
>
> The subsequent line:
> rs->cmd_buf[rs->cmd_buf_index] = ch;
>
> then writes the input character to an address determined by the now-corrupted
> index.
>
> By providing a specifically crafted input sequence via HMP, this flaw can be
> used to redirect the write operation to overwrite any field within the
> ReadLineState structure, which can lead to unpredictable behavior or
> application crashes.
>
> Fix this by adding the guard to check for buffer fullness.
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
> util/readline.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
> ---
> V2:
> use assert() to check the value of cmd_buf_index before the
> insertion.
>
> diff --git a/util/readline.c b/util/readline.c
> index 0f19674f52..e2664e48ca 100644
> --- a/util/readline.c
> +++ b/util/readline.c
> @@ -84,7 +84,9 @@ static void readline_update(ReadLineState *rs)
>
> static void readline_insert_char(ReadLineState *rs, int ch)
> {
> - if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {
> + assert(rs->cmd_buf_index <= rs->cmd_buf_size);
> +
> + if (rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {
> memmove(rs->cmd_buf + rs->cmd_buf_index + 1,
> rs->cmd_buf + rs->cmd_buf_index,
> rs->cmd_buf_size - rs->cmd_buf_index);
> --
> 2.43.0
>
--
Marc-André Lureau
On Tue, 7 Apr 2026 at 20:35, Marc-André Lureau <marcandre.lureau@gmail.com> wrote: > > Hi > > On Mon, Apr 6, 2026 at 9:05 AM <phind.uet@gmail.com> wrote: > > > > From: Nguyen Dinh Phi <phind.uet@gmail.com> > > > > Currently, the readline_insert_char() function is guarded by the cursor > > position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size). > > The current check is: > > if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) > > > > This logic is flawed because if the command buffer is full and a user moves the > > cursor backward (e.g. by sending left arrow key), cmd_buf_index can be > > decreased without descreasing of buffer size. > > This allow subsequent insertions to increase cmd_buf_size past its maximum > > limit of rs->cmd_buf. > > > > Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is > > immediately followed by the cmd_buf_index integer, once the buffer size is > > sufficiently inflated, the memmove() operation inside readline_insert_char() > > can write past the end of cmd_buf[] and overwrites cmd_buf_index itself. > > > > The subsequent line: > > rs->cmd_buf[rs->cmd_buf_index] = ch; > > > > then writes the input character to an address determined by the now-corrupted > > index. > > > > By providing a specifically crafted input sequence via HMP, this flaw can be > > used to redirect the write operation to overwrite any field within the > > ReadLineState structure, which can lead to unpredictable behavior or > > application crashes. > > > > Fix this by adding the guard to check for buffer fullness. > > > > Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com> > > Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Thanks; this seemed worth getting into the next rc so I have applied it directly to git. -- PMM
© 2016 - 2026 Red Hat, Inc.