On Monday, 18 May 2026 19:40:34 CEST Christian Schoenebeck wrote:
> This series fixes a heap buffer overflow vulnerability in the 9pfs local
> backend. The vulnerability occurs when handling paths exceeding 65536 bytes,
> due to the V9fsPath.size field being limited to 16 bits.
>
> The fix consists of:
>
> - Changing V9fsPath.size from uint16_t to size_t.
> - Converting v9fs_path_sprintf() to return int for error handling.
> - Adding error propagation through all path manipulation functions.
>
> Invididual Patches:
>
> - Patch 1 is just an additional defensive patch.
>
> - Actual fixes are patches 2..4, where patch 2..3 are prepatory, and
> patch 4 is the actual behaviour fix.
>
> - Patch 5 adds a reset function to the virtio test client for the new
> test to work.
>
> - Patch 6 adds a new test to guard this buffer overflow issue.
> It must be enabled explicitly by -m slow for it to run.
>
> More details about this issue:
> https://gitlab.com/qemu-project/qemu/-/issues/3358
Queued on 9p.next:
https://github.com/cschoenebeck/qemu/commits/9p.next
Thanks!
/Christian
> Christian Schoenebeck (6):
> hw/9pfs: add NULL check in v9fs_path_is_ancestor()
> hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return
> type
> hw/9pfs: add error handling to v9fs_fix_path()
> hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle
> errors
> tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool
> reset
> tests/9pfs: add deep absolute path test
>
> fsdev/file-op-9p.h | 2 +-
> hw/9pfs/9p-local.c | 23 ++++++++----
> hw/9pfs/9p.c | 41 +++++++++++++++------
> hw/9pfs/9p.h | 4 +--
> tests/qtest/libqos/virtio.c | 23 ++++++++++++
> tests/qtest/libqos/virtio.h | 2 ++
> tests/qtest/virtio-9p-test.c | 69 ++++++++++++++++++++++++++++++++++++
> 7 files changed, 144 insertions(+), 20 deletions(-)