From nobody Mon Jun 8 06:36:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1780310278; cv=none; d=zohomail.com; s=zohoarc; b=l6o33D37Q5MAv+YtVnKMws8KJjABDoSBJSAuaFA6ltXdNUfXUcFVSFc533WKirKIy1Kc4yTfkqvKjLQsQyX5KpsEI00u9LJVUPrlvF6/16HUiQ2Jypvo/72pE6bfwZnFl1mc72b7mZf49ipMojKqWeMtE/kSNukgh6/Jd6P6GDw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1780310278; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Gc/QErGR5RsT8fG68U+RgVCSzjXhNLLHjAN27KCzsA4=; b=Jq8W4tikxJ6y9/3MZl3DSdqgMq0XGDFPL+8ybpz0JL75SC3AMO15zHwCg1WZqigAo/DH4W/+iBq8HCFpNZE5Lmnwhtokbri/Ov0TVGOp9Ikcq3TaSQMwO53SpCJURIKlkTOqrD/oD/6h9r9LgutImrGKygmVxv80KSNhCE5ZKkU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1780310278657435.956633093862; Mon, 1 Jun 2026 03:37:58 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wU00t-0004SG-18; Mon, 01 Jun 2026 06:36:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wU00q-0004Rj-Tr; Mon, 01 Jun 2026 06:36:52 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wU00p-00072a-4m; Mon, 01 Jun 2026 06:36:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=Gc/QErGR5RsT8fG68U+RgVCSzjXhNLLHjAN27KCzsA4=; b=SbiBn dg3r54umTtdmeoOq4ZoknmyEcj81qSk6N5uQDZoq8JhwOrWFHkA95rsGeknakBUP6GVNQoZOLeENx 92r1wr7BmbqWadAjbLYc+i1CANAHtmGW9FTsClBxWlZNFqqNM9F8mjP6sPyxqDaS94X8o9oae6I4Q 8+7/JW/MSRl3JrO04gdUANVrT89C3dlj3Vpgli5tV6ccRyDlJp0sgR62a8poSWbUevIVJm4m+11Gp dmLW6OQJlBwgXk8ze3AgUiJNb8HlxSvAaBX8kak4qIbYs9VcCN0YGqocUKyPnCZbrsIYdB9P0pv0a Xxuyt4+CXelybssb/nxARcBNc3OO1RucTe1ZtVGvaw4mleJLMbG1rIZaeNiCk6r3X95VOchxfaM8T y0fiGY29ocoCkKt92BxrNo+xKTqcnbzHpflg/v8ehhggE8hmakF1to0My5rDfkFPhvMA7ErlM7vVQ q+58PehEC0cbCS2CK3K2hFTvDHSQf+ZsRsmQYJIjqITIAS71QVE5zgzrbgyH8kqsnTGw56FFZN1AN ye/gnhck0iMQ6dhagz4SNASvJd97j04N9mRYi2k/K6jQ4Tg17C33J6LoG3qct564CpNFjbES7BY3e hz/S3aMtBWWB5wLW1l6+QQkkmLp82yiQIOa8zIZBJM9ALT9jrWW/yoPrvLpgWQ=; Message-ID: In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 01 Jun 2026 11:52:56 +0200 Subject: [PULL 1/7] hw/9pfs: add NULL check in v9fs_path_is_ancestor() To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Greg Kurz , Peter Maydell , Wang Jihe Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=abb0cc02fb56e2432837e34b80fe68768f95e774@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1780310280680158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Add NULL check for s1->data and s2->data before using them in string operations. This prevents potential crashes when dealing with uninitialized paths. This is just a defensive measure. We are currently never passing NULL to this function. Link: https://lore.kernel.org/qemu-devel/3348c4d683f061c23083bd45994d527be4= fb7cbc.1779126034.git.qemu_oss@crudebyte.com Signed-off-by: Christian Schoenebeck --- hw/9pfs/9p.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index e2713b9eee..e590c414ab 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -241,6 +241,9 @@ int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath, */ static int v9fs_path_is_ancestor(V9fsPath *s1, V9fsPath *s2) { + if (!s1->data || !s2->data) { + return 0; + } if (!strncmp(s1->data, s2->data, s1->size - 1)) { if (s2->data[s1->size - 1] =3D=3D '\0' || s2->data[s1->size - 1] = =3D=3D '/') { return 1; --=20 2.47.3 From nobody Mon Jun 8 06:36:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1780310289; cv=none; d=zohomail.com; s=zohoarc; b=J8yjkSM0r/igeg/VxnJIdp6QJwi8oMyIdY/My+fooH6dx1hjiz2RPAOGeUFnfvNxbayniZo8LZ9HP9ixz3zGBxvuUBvwLLTp30PGFka3ajoBMURGoPQbR0Ud8npE4vof1FXJjZoPS5/ZdZC21eWB9aLxRtVvGYkBR0SekXDr+dY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1780310289; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=KTCypxeBAuyLvGzufd+An9ohwr86NbHfxjs/1sK05lE=; b=V+1d4FkynSWcdOSU0xLKFTE618aR4Gk85Q/UtO8DNqpl7SuQgE/xcdG5AlYM7q7j1yaXHmOg27H0r5TNIqKNAoHg2o69gpd/b/oYMwnszaD0moU4zsqa6NXC18+W6xHOzBccHsOFd/E9WECMFq5p4wa/mtI21jqUPnJ8OGZ2s14= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1780310289455270.06167067944864; Mon, 1 Jun 2026 03:38:09 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wU01D-0004f2-G1; Mon, 01 Jun 2026 06:37:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wU018-0004ce-83; Mon, 01 Jun 2026 06:37:11 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wU016-00079B-NP; Mon, 01 Jun 2026 06:37:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=KTCypxeBAuyLvGzufd+An9ohwr86NbHfxjs/1sK05lE=; b=HAzM/ U3wUviKGip5x9x0Q1zpLMKIlC8H9vKoy7OCFNxEZ8dB97LvqNc0oejC+1NKz3tj3qV5pG7kNXGnBF a6ex1gWx3czix8ERiskzBObsR2qoEizniM33cQp3bzZB2AznOZTwm6Fv+D3IFduO2hzFmpheUZbK0 Qyo2k5fmf6i0lat30dQIsuknKHsY/1yEu+R8D2+xl4TXKSL7UvW5dpDzchxr0VE9bvJ6RZyqbaYe+ xZbJpnj3ZYy/Y8dTPEgE1uknoHUzx25XFyl9AN06sDPnmYCo3c+yfkf53xen5YsuQOk3A9tDM3WRS aMScaMV/st2yROyhOTIhXCgRGyp7ge+YviIkcHFDy/N45ZSwNReIbl4R/pQix6WaXrmPLCVbp3dau 3w9GpcdA7bXh2u8kKU1zXXyDMpc3dLzotHVaTlQAtemcOQlfetQKuj+Dhq8YLwMXrWEsuF0y5LP3E InwCZOheDLkLCjWugIi/53TqE5ExW2Gp34aX1QCm0vkhLznv8Z0cnrFxN3H4n993KD3X4YtuFVeSp xv0bn7Ysss+CQhZFAoXkGlcR2cK7S07yru6nZ1IygJ9MKHACrma6UbzpXVIEWrsRkN+M0BGhG5fmd 1Owc7OcDUpaxJlz6VEEJqsQ5pnMqaLHjwzsvhDXw3PP/iQ5eli71VIUcjACfdM=; Message-ID: In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 01 Jun 2026 11:52:56 +0200 Subject: [PULL 2/7] hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Greg Kurz , Peter Maydell , Wang Jihe Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=dbaf84e148b0c8b66dcb47788a6bb13806e401e4@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1780310290701158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" - Change V9fsPath.size from uint16_t to size_t to support paths larger than 65536 bytes. - Change v9fs_path_sprintf() return type from void to int to allow error reporting. Link: https://lore.kernel.org/qemu-devel/2d2348d94ff43fbe4cc0aea24fb312c5c1= 5ee809.1779126034.git.qemu_oss@crudebyte.com Signed-off-by: Christian Schoenebeck --- fsdev/file-op-9p.h | 2 +- hw/9pfs/9p.c | 14 +++++++++++--- hw/9pfs/9p.h | 4 ++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h index b85c9934de..e8d0661c4b 100644 --- a/fsdev/file-op-9p.h +++ b/fsdev/file-op-9p.h @@ -112,7 +112,7 @@ struct FsContext { }; =20 struct V9fsPath { - uint16_t size; + size_t size; char *data; }; P9ARRAY_DECLARE_TYPE(V9fsPath); diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index e590c414ab..88894ec9d2 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -203,16 +203,24 @@ void v9fs_path_free(V9fsPath *path) } =20 =20 -void v9fs_path_sprintf(V9fsPath *path, const char *fmt, ...) +int v9fs_path_sprintf(V9fsPath *path, const char *fmt, ...) { va_list ap; + int ret; =20 v9fs_path_free(path); =20 va_start(ap, fmt); - /* Bump the size for including terminating NULL */ - path->size =3D g_vasprintf(&path->data, fmt, ap) + 1; + ret =3D g_vasprintf(&path->data, fmt, ap); va_end(ap); + if (ret < 0) { + error_report_once("9pfs: unusual path formatting failure; " + "invalidating associated FID"); + return -1; + } + /* Bump the size for including terminating NULL */ + path->size =3D ret + 1; + return 0; } =20 void v9fs_path_copy(V9fsPath *dst, const V9fsPath *src) diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h index 65cc45e344..b2df659b0e 100644 --- a/hw/9pfs/9p.h +++ b/hw/9pfs/9p.h @@ -456,8 +456,8 @@ static inline uint8_t v9fs_request_cancelled(V9fsPDU *p= du) void coroutine_fn v9fs_reclaim_fd(V9fsPDU *pdu); void v9fs_path_init(V9fsPath *path); void v9fs_path_free(V9fsPath *path); -void G_GNUC_PRINTF(2, 3) v9fs_path_sprintf(V9fsPath *path, const char *fmt, - ...); +int G_GNUC_PRINTF(2, 3) v9fs_path_sprintf(V9fsPath *path, const char *fmt, + ...); void v9fs_path_copy(V9fsPath *dst, const V9fsPath *src); size_t v9fs_readdir_response_size(V9fsString *name); int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath, --=20 2.47.3 From nobody Mon Jun 8 06:36:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1780310321; cv=none; d=zohomail.com; s=zohoarc; b=GGE9IcsbHXEH1op5+Jt7qnzI5QohH3mNjdLmBPkgfDbb+NzxJj6GgGl9BSTnApATXeD+WLuEUJkrok30Vp0eO4mRN+RhC6MCnElkxXNmPfZTXSEfSJy87xmJp5+mn+tovqXiU9RLzALImkjqjuOGy6qwxh5ksotdvkir5si7+8c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1780310321; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=GTomEbl5MoBywpmJl0J2ohNoLwUhaPLNBuJe7ZYv6qI=; b=KIp7riWjIy18Zc03Au6VqMENZJJJ+LNv9wGlxQcFXCydTOAxMV9gmS5c33bkHLuj5uiGBKCVZyYr5pz4EkW6OjVeVtI3rZs4bkCb4M+RlPbfdePOlqGo/g+7Am306rX8Jw+7MK6oOPTGQwXO7Au4JHzUISKuOyk/ALVO3FScYME= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1780310321380136.77485136838823; Mon, 1 Jun 2026 03:38:41 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wU010-0004Uf-HR; Mon, 01 Jun 2026 06:37:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <54dd352c59269fdb5241e7b6dbcecaff107e7f5a@kylie.crudebyte.com>) id 1wU00y-0004U3-LX; Mon, 01 Jun 2026 06:37:00 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <54dd352c59269fdb5241e7b6dbcecaff107e7f5a@kylie.crudebyte.com>) id 1wU00w-000788-R6; Mon, 01 Jun 2026 06:37:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=GTomEbl5MoBywpmJl0J2ohNoLwUhaPLNBuJe7ZYv6qI=; b=gVv45 gChDcnqIu0pgv5KI8Fq24xKjnV9pwl5DZKcofz63QFVQ/7thAtcdOeMhBcalbbYOw8HZO8iFambwJ ZsuJFeEP+Aq3nanpnFVn1FoRNLjuoo0saBN4Adfcc4siaFAKLNSGIV3+iTtn869nAlgosRGYRP1Fl sSY6tpmhvYhj7hixF3ETyg1D6fqcceadJ8SmDu5QjvuSOWDsVb3MchpTycnq7OBlJAhVd6HUS52XH OR+bt9CVH3liTSyaL3WsDdViUIu9dmytPDlOnvA065ihtCFVbSdTjULPMEaM8q5+nFlYhAHlv6H5m R+isCDA2T/ShEcB/Z5ZJjwdTt5TqgkjlE0OGiSVVekXE87TsRSrlEE5W+2uSuRKve6U1/RdEnJ8Zu iQysks+rbtPWCk9SE2RxEK1XH+aqgrdr0jJ5VJ2OiGyp79ee5R9dPTAUN2Y40K0XF+3S+3eLgEfTU EGfB6zSyU7q3CW/6cvZ78C7kS/OVpAouHgAWaDsUn2c1F2/YiTimtTOLWJAHUXjF9Y5ddrX82XkFJ XtBGhEePBr/6pxop9kNeYjqGs7Xj5nZB/aCf8CtHiowGGfqjITAZZ9gJ2+POVt1WZHgfS/mvkrOHQ 6oanm7rnF7Zd3HAfs0e5hy0h28A1SQXcbjX2JeK47S2KGUavpiQu5SL6mEix3I=; Message-ID: <54dd352c59269fdb5241e7b6dbcecaff107e7f5a.1780307575.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 01 Jun 2026 11:52:56 +0200 Subject: [PULL 3/7] hw/9pfs: add error handling to v9fs_fix_path() To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Greg Kurz , Peter Maydell , Wang Jihe Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=54dd352c59269fdb5241e7b6dbcecaff107e7f5a@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1780310322853158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Update v9fs_fix_path() to return int and propagate errors from v9fs_path_sprintf(). This allows callers to detect and handle path formatting failures. Link: https://lore.kernel.org/qemu-devel/a0592741a918b7cbe751980ec7ec0c03f5= 05924c.1779126034.git.qemu_oss@crudebyte.com Signed-off-by: Christian Schoenebeck --- hw/9pfs/9p.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 88894ec9d2..d704de644f 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1417,13 +1417,15 @@ static void print_sg(struct iovec *sg, int cnt) } =20 /* Will call this only for path name based fid */ -static void v9fs_fix_path(V9fsPath *dst, V9fsPath *src, int len) +static int v9fs_fix_path(V9fsPath *dst, V9fsPath *src, int len) { V9fsPath str; + int ret; v9fs_path_init(&str); v9fs_path_copy(&str, dst); - v9fs_path_sprintf(dst, "%s%s", src->data, str.data + len); + ret =3D v9fs_path_sprintf(dst, "%s%s", src->data, str.data + len); v9fs_path_free(&str); + return ret; } =20 static inline bool is_ro_export(FsContext *ctx) --=20 2.47.3 From nobody Mon Jun 8 06:36:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1780310258; cv=none; d=zohomail.com; s=zohoarc; b=fKrR33BM3imuczKMKO9i2NMKhuCa5a9RBOGx9+Z/2yemUlpKsAk/Kd4t2yf00ECzFg3liVkx0gM+PYZUz0AsbefSEpWBNEMH0/EQhNqbdJVT6eFO3kArsKXCEKtw8YuSWsg6QUpiSfvRAHvz5W1xGXixAM6KBWrL5CN2tbA1K5I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1780310258; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=8ddYxKDwuJBO0Ln4Q0qIOWWcFWtc9FBCa5NELge/tEU=; b=IwEPGDvX7LP2sdU3yZT7zlcpvxqX5pqzs7fAyKYdF/i8mAV/vQKesfraiM2NOnCUDi8EPUrEhPslErGa6q1uCSk36eLhQEMVWBU3lFa4Sktcc7a+Ecxwd3Y87EXSt4WbwlOIPP9JQF9weQhniYlwyStNdrVMVeFuy17zOcFc2DQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1780310258629449.7010915256185; Mon, 1 Jun 2026 03:37:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wU019-0004cf-NJ; Mon, 01 Jun 2026 06:37:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3802c0e755a53b126e717415b54226a468bf7ddf@kylie.crudebyte.com>) id 1wU015-0004a2-3Z; Mon, 01 Jun 2026 06:37:07 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3802c0e755a53b126e717415b54226a468bf7ddf@kylie.crudebyte.com>) id 1wU013-00078q-E1; Mon, 01 Jun 2026 06:37:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=8ddYxKDwuJBO0Ln4Q0qIOWWcFWtc9FBCa5NELge/tEU=; b=OWoGT Tjmw9srSzKtPmsQUkQi0NCo796tkLO2M50cO2eZ7ezrS/aBv05Ejjx+yO7bQ1tMjfmh2e74flXxX8 RNT6DimKTGBhqvqB7nFC1W/ym4p1JSHzcoViT8rv4ktcv3zXuKOzFPhcjH2I2FQ1QFf5FuvMcCJ6r b/VsK1gp3fSG6RIO0A+LUUaB8dMy0xzqWlT/Jyp1JV2zAhvyfcZepzx9MD+QFdxU1JFPqMVEgR0XS dl1dbqDIS2kN/YOZF4i59iUnaNg7NcZVdZyM2D3cdDwWyGuaArMgQEZ6h0vZbSE7sEOrrD8st16A4 5R7nIyFzYvnqsG3Yn6ZDJULsxQaTImddPn2LMY1oviUaFqZKG08QKmhqzoAITeZj7AqQ5e/v4n4fh yBrFBRfhYpmadrtWhN5K3WfgzNOjDiD+1ki1B3E/bqfydfXywJGMoQDHMNP2SLPDNcO86nRIeEJIf eeZD1c1uVh973Qw0XvUSthm6visazzLITFRHUxLuZ6CyLgF4niKnZ1ifwdw9MbLX4YC5XedMPariO MHIKUXpyXGO1A9bWRHRcSyxNVd+/L0ATSt536qXWFuqbHvUkUeAW8/GfZ64RGI7UpsTqz2x8SPQww ExktG0wOpL9NbkkCW9VSKAkMYLBJGTAIZtJ8ZEydtJ8BQJi2n1XvYRXX/iNZFg=; Message-ID: <3802c0e755a53b126e717415b54226a468bf7ddf.1780307575.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 01 Jun 2026 11:52:56 +0200 Subject: [PULL 4/7] hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Greg Kurz , Peter Maydell , Wang Jihe Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=3802c0e755a53b126e717415b54226a468bf7ddf@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1780310260558158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch mitigates issues with very large absolute paths. - Add error handling to all v9fs_path_sprintf() calls in local_name_to_path() - Update callers of v9fs_fix_path() to check return values. - When path formatting fails, clunk the affected FIDs to prevent use of invalid paths. - Use g_autofree for temporary variables to simplify code. Even though paths are usually limited to PATH_MAX (typically 4k) on guest, this limitation can be circumvented by using *at() functions on guest and creating very deep directory structures. This was a problem for QEMU 9p server, as it currently tracks the absolute path for each FID internally that always requires assembly of a (potentially ver large) absolute path. A true long-term fix would be getting rid of storing an absolute path for each FID internally. However that would likely be a massive change with uncertain implications. This patch therefore just mitigates the problem by immediately clunking (i.e. closing) all FIDs whose path exceed a limit that we could handle. As this only accounts to very unusual large absolute paths not ever been reported on (sane) production machines, this is currently considered an acceptable mitigation that should only (counter)affect malicious attempts. Fixes: 2f008a8c97e2 ("hw/9pfs: Use the correct signed type ...") Reported-by: Wang Jihe Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3358 Link: https://lore.kernel.org/qemu-devel/1d11dcbfc95b811dcdb48c6d7f3894d0eb= d073a2.1779126034.git.qemu_oss@crudebyte.com Signed-off-by: Christian Schoenebeck --- hw/9pfs/9p-local.c | 23 ++++++++++++++++------- hw/9pfs/9p.c | 18 +++++++++++++----- 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 24cb1da90a..aa48306b0e 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1261,26 +1261,35 @@ static int local_name_to_path(FsContext *ctx, V9fsP= ath *dir_path, } else if (!strcmp(name, "..")) { if (!strcmp(dir_path->data, ".")) { /* ".." relative to the root is "." */ - v9fs_path_sprintf(target, "."); + if (v9fs_path_sprintf(target, ".") < 0) { + return -1; + } } else { - char *tmp =3D g_path_get_dirname(dir_path->data); + g_autofree char *tmp =3D g_path_get_dirname(dir_path->data= ); /* Symbolic links are resolved by the client. We can assume * that ".." relative to "foo/bar" is equivalent to "foo" */ - v9fs_path_sprintf(target, "%s", tmp); - g_free(tmp); + if (v9fs_path_sprintf(target, "%s", tmp) < 0) { + return -1; + } } } else { assert(!strchr(name, '/')); - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); + if (v9fs_path_sprintf(target, "%s/%s", dir_path->data, name) <= 0) { + return -1; + } } } else if (!strcmp(name, "/") || !strcmp(name, ".") || !strcmp(name, "..")) { /* This is the root fid */ - v9fs_path_sprintf(target, "."); + if (v9fs_path_sprintf(target, ".") < 0) { + return -1; + } } else { assert(!strchr(name, '/')); - v9fs_path_sprintf(target, "./%s", name); + if (v9fs_path_sprintf(target, "./%s", name) < 0) { + return -1; + } } return 0; } diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index d704de644f..b4314d2549 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3325,12 +3325,14 @@ static int coroutine_fn v9fs_complete_rename(V9fsPD= U *pdu, V9fsFidState *fidp, goto out; } } else { - char *dir_name =3D g_path_get_dirname(fidp->path.data); + g_autofree char *dir_name =3D g_path_get_dirname(fidp->path.data); V9fsPath dir_path; =20 v9fs_path_init(&dir_path); - v9fs_path_sprintf(&dir_path, "%s", dir_name); - g_free(dir_name); + err =3D v9fs_path_sprintf(&dir_path, "%s", dir_name); + if (err < 0) { + goto out; + } =20 err =3D v9fs_co_name_to_path(pdu, &dir_path, name->data, &new_path= ); v9fs_path_free(&dir_path); @@ -3351,7 +3353,10 @@ static int coroutine_fn v9fs_complete_rename(V9fsPDU= *pdu, V9fsFidState *fidp, while (g_hash_table_iter_next(&iter, &fid, (gpointer *) &tfidp)) { if (v9fs_path_is_ancestor(&fidp->path, &tfidp->path)) { /* replace the name */ - v9fs_fix_path(&tfidp->path, &new_path, strlen(fidp->path.data)= ); + if (v9fs_fix_path(&tfidp->path, &new_path, + strlen(fidp->path.data)) < 0) { + clunk_fid(s, tfidp->fid); + } } } out: @@ -3448,7 +3453,10 @@ static int coroutine_fn v9fs_fix_fid_paths(V9fsPDU *= pdu, V9fsPath *olddir, while (g_hash_table_iter_next(&iter, &fid, (gpointer *) &tfidp)) { if (v9fs_path_is_ancestor(&oldpath, &tfidp->path)) { /* replace the name */ - v9fs_fix_path(&tfidp->path, &newpath, strlen(oldpath.data)); + if (v9fs_fix_path(&tfidp->path, &newpath, + strlen(oldpath.data)) < 0) { + clunk_fid(s, tfidp->fid); + } } } out: --=20 2.47.3 From nobody Mon Jun 8 06:36:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1780310236; cv=none; d=zohomail.com; s=zohoarc; b=LWi/kBalblB0FiQc0K+AXbWPCGLqFHCHDvihxaW/iavH47wmcVapKEVYcNuQWk/xSGIQUUzUOzMyF5Iei/geqzjhtc5jcuEPztzZc34BfU3HUoe6RMPJeBqumWJnXfs31BTRt//3jPzPNGhuSWRIeDUx8xy1zTlU1jjwp8kDD8s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1780310236; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=3bAH1zxl2nTq/kZfGqArQY/bbatoiPlV2qADmOh86XQ=; b=kXzuhOaYiJZnlVhl+BOn+chrbbUaEpZwOsy8DdC0szSdcVS5WikU2dJnzWjx5x+GBjrM8VoZlfApfvjzjfkns3Nez6Wrhpv7fypBo4QFwwA/D1cCVROJn0YWWv8euDKrgEDG/UfNfyt3zoKgEp7xilxilaygZb04no8QNFF3ZLE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1780310236361897.5503127828827; Mon, 1 Jun 2026 03:37:16 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wU00y-0004TU-1f; Mon, 01 Jun 2026 06:37:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wU00u-0004So-LY; Mon, 01 Jun 2026 06:36:57 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wU00s-00075i-Gp; Mon, 01 Jun 2026 06:36:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=3bAH1zxl2nTq/kZfGqArQY/bbatoiPlV2qADmOh86XQ=; b=NFoR6 3NVAJcZcAiDOHjtYL6u143Cam7LNwB5ZxQjICc9d499iMQaJJ71E5xahNgMKDGvqamW2ySp0jmCZy cBBGT+k9uPKmhbRswwTRr7Hve2k5V9dgOb5KHAFEkhmIMb4NVnAO1RNbtm6GIgJRIMY5QNjLgR34z 2YVcis76C9rbETgHk+GLGVBknHZeJGL2ELxXJObNJpb7cmVQEmkLu8IFuGWzr2ijbJ5EH94XyQt9h 7hIZvvYDSkRSjsuNS/hEByuEVF1u1RVO55hdVimiAHfQQAtcxypPaKYsyQPEFPgnPGulHSCNdYknm FPHamXDg2/0TG9arBYIABqrdO8Uo0jlN7gXKx3JS9gxEJGTtUEzZ1DJFh9GxoKNMS2PBhgoLTeWZa rw/c9G9uTNxRO3X+uZTmxGBXn9hAWXg0f9UcuvhEGTLSQJanUolC8ckf7WGT1FVO6sxdq8kQYvWee QT3tMclIyKL0yZXG4u3xFp/m+IHVXJYSb7J8M+yxfeTyFrpEGbJ+do363kvG9ZiYr1lGN1lwdNZ1O 8Avv/yFq+u6P+RD3Y8dLYFXTJLQimmuCA+FOuVxnI9nqy+JKNztMu8TSQzqyrzHbTHf/DIFm+9B75 uWH+Q+BUYS72fmYDbUr5V+IYGxRmsV9TkSVw/TWCT8UDRJUFEws3GY96xkqJMU=; Message-ID: In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 01 Jun 2026 11:52:56 +0200 Subject: [PULL 5/7] tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Greg Kurz , Peter Maydell , Fabiano Rosas , Wang Jihe Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=be33c56898f8b18617cff91525f0b68abee8de07@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1780310238736158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Add a function to reset the virtqueue descriptor pool state without reinitializing the device. This is useful for tests that issue a high number of requests and are limited by the simplified virtio test driver's descriptor tracking, which decrements num_free but never increments it back. The function is safe for synchronous test code where requests are sent and completed before the next request is issued. Acked-by: Fabiano Rosas Link: https://lore.kernel.org/qemu-devel/96cf23eea1204b34443218fe76bd4a5eaf= 9163e8.1779126034.git.qemu_oss@crudebyte.com Signed-off-by: Christian Schoenebeck --- tests/qtest/libqos/virtio.c | 23 +++++++++++++++++++++++ tests/qtest/libqos/virtio.h | 2 ++ 2 files changed, 25 insertions(+) diff --git a/tests/qtest/libqos/virtio.c b/tests/qtest/libqos/virtio.c index 010ff40834..ccbb325222 100644 --- a/tests/qtest/libqos/virtio.c +++ b/tests/qtest/libqos/virtio.c @@ -464,6 +464,29 @@ bool qvirtqueue_get_buf(QTestState *qts, QVirtQueue *v= q, uint32_t *desc_idx, return true; } =20 +/* + * qvirtqueue_reset_pool: + * @vq: The virtqueue to reset + * + * Reset the descriptor pool state without reinitializing the device. + * This is useful for tests that issue a high number of requests and + * are limited by the simplified virtio test driver's descriptor tracking, + * which decrements num_free but never increments it back. + * + * This is only safe for synchronous test code where requests are + * sent and completed before the next request is issued. Do not use + * with asynchronous code where multiple requests may be in-flight. + * + * Note: This only resets the available descriptor pool (free_head, + * num_free). The used ring position (last_used_idx) is NOT reset + * and should continue to track consumed responses across iterations. + */ +void qvirtqueue_reset_pool(QVirtQueue *vq) +{ + vq->free_head =3D 0; + vq->num_free =3D vq->size; +} + void qvirtqueue_set_used_event(QTestState *qts, QVirtQueue *vq, uint16_t i= dx) { g_assert(vq->event); diff --git a/tests/qtest/libqos/virtio.h b/tests/qtest/libqos/virtio.h index e238f1726f..f17be0b9b6 100644 --- a/tests/qtest/libqos/virtio.h +++ b/tests/qtest/libqos/virtio.h @@ -150,6 +150,8 @@ void qvirtqueue_kick(QTestState *qts, QVirtioDevice *d,= QVirtQueue *vq, bool qvirtqueue_get_buf(QTestState *qts, QVirtQueue *vq, uint32_t *desc_id= x, uint32_t *len); =20 +void qvirtqueue_reset_pool(QVirtQueue *vq); + void qvirtqueue_set_used_event(QTestState *qts, QVirtQueue *vq, uint16_t i= dx); =20 void qvirtio_start_device(QVirtioDevice *vdev); --=20 2.47.3 From nobody Mon Jun 8 06:36:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1780310226; cv=none; d=zohomail.com; s=zohoarc; b=aYDW+Pxm4Du3CZxCuAVvUbdYBkC5Mz5nPsw8TgTDuNXt1rJUlD1cPPaT+wxodgcGRXti8KC5vHtTzwyEvTX1WrjyA2trtqM6Ffj+IJafX0MQimlszPuVaFmBScOQz1Zg7Hxpu7BhOi33VD56DTszMU+CxqI8MmaOdJ8l5pGA6ro= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1780310226; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=dAZnEm7vTJ3oFE09BJyT1XgyhO/mjQhAShsQCc1F6As=; b=fQa86nuybMnES3PKZT5Y7yVwx58AA0cNadQ7edZ/0h9w+rUom5LvCRugFS66b+39Zd/kdlIyG/Rck06TpfqnnQjW3Gs3V3vmJBl8q4o/8lW0xHePKRFdeC4paFrnWB5DUCRKZF24I+m67WgyTmIpuJu/BKwfor70YebRqVe6YSw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1780310226272745.9560943059004; Mon, 1 Jun 2026 03:37:06 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wU00p-0004R6-TV; Mon, 01 Jun 2026 06:36:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <198627807a6b94e2aab157cf345f98edb1ac1a7a@kylie.crudebyte.com>) id 1wU00n-0004Qg-7O; Mon, 01 Jun 2026 06:36:50 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <198627807a6b94e2aab157cf345f98edb1ac1a7a@kylie.crudebyte.com>) id 1wU00k-00072G-4e; Mon, 01 Jun 2026 06:36:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=dAZnEm7vTJ3oFE09BJyT1XgyhO/mjQhAShsQCc1F6As=; b=hZvM0 iX3rGq+4q58GGZzJjDP+vWwJ2VCrPy7/2Ts30ABDCVVr7vLXygHJKMdZoImDdrD+jFe6w0QXgazQf IGID/nZ9QEzwcFvA8ppLuq4vQ34BcLtB38WkBzTi4yM59FfEPxX5cgAfoIz4O2RcAHVaUat4XpdZi QBHnL+Qi2cj8zZq4rJnq2Rk5BbWw7z2oJhRaK3drrjgIp1jqWP/WpM72TWcOjZr17WGngrz1iPNo+ G6nNS5qVM15EjyZ0H2NIffCagI3l3h8Nz+Lqes8P9GgIq8wbJyYaFUXMTUiBYOIPWJ5jy9RgYcTlV scvDvxlm4GqcC3AM6Fw4eUC+UziOfTBaLFA8TA8vcK/lbyhVJLR2ZdM27zugkVGEOdJjKr5KArNjw d7BYET/oSqNQjiBunCsZx0fPOVTg1tFOLuino60ENlnDC9MfOv4badi74QkZaaseSySQIP4fBgOor 5tZcoTIIbNtfhduTRi1FUENDsS2+Po/+vMm0kJtaotQ2usNA3plz5WwYzHou5ng/mJfLSN5LyRf6v 30qsxNK0vxxnDnG54eIeBO0b3lMEheRrYQKHLTVa3py9UIaObOSXOJF9DSSjEifQ+YzuLZd1BaX2p EEfstg9W847yRCYf6sNjKIwNqC/7PBxiVPfQyDMbTJN6aPY7fmIgK3f5b4IMPI=; Message-ID: <198627807a6b94e2aab157cf345f98edb1ac1a7a.1780307575.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 01 Jun 2026 11:52:56 +0200 Subject: [PULL 6/7] tests/9pfs: add deep absolute path test To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Greg Kurz , Peter Maydell , Wang Jihe Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=198627807a6b94e2aab157cf345f98edb1ac1a7a@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1780310228849158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Add fs_deep_absolute_path test that creates a deep directory structure with an absolute path length exceeding 16-bit range (i.e. >65536) to verify the previous buffer overflow fix. This is a slow test (may take several seconds) and therefore registered as "slow" test and not running by default. Use -m slow to run this test. Link: https://gitlab.com/qemu-project/qemu/-/issues/3358 Link: https://lore.kernel.org/qemu-devel/933552b2cfc2c442fac7f4e68c777dce20= ee8d7e.1779126034.git.qemu_oss@crudebyte.com Signed-off-by: Christian Schoenebeck --- tests/qtest/virtio-9p-test.c | 69 ++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/tests/qtest/virtio-9p-test.c b/tests/qtest/virtio-9p-test.c index ac38ccf595..1c69d41e33 100644 --- a/tests/qtest/virtio-9p-test.c +++ b/tests/qtest/virtio-9p-test.c @@ -14,6 +14,7 @@ =20 #include "qemu/osdep.h" #include "qemu/module.h" +#include "libqos/virtio.h" #include "libqos/virtio-9p-client.h" =20 #define twalk(...) v9fs_twalk((TWalkOpt) __VA_ARGS__) @@ -752,6 +753,72 @@ static void fs_use_after_unlink(void *obj, void *data, g_assert_cmpint(attr.size, =3D=3D, 2001); } =20 +/* https://gitlab.com/qemu-project/qemu/-/issues/3358 */ +static void fs_deep_absolute_path(void *obj, void *data, + QGuestAllocator *t_alloc) +{ + QVirtio9P *v9p =3D obj; + v9fs_set_allocator(t_alloc); + + if (!g_test_slow()) { + g_test_skip("This is a slow test, run with -m slow"); + return; + } + + GString *path =3D g_string_new("/"); + char name[256]; + uint32_t current_fid =3D 0; + + tattach({ .client =3D v9p }); + + /* Create deep directory structure until absolute path length + * exceeds 16-bit range. + */ + while (path->len <=3D 65536) { + /* use 255-byte name (NAME_MAX) to reduce iterations to ~257 */ + memset(name, 'A', 255); + name[255] =3D '\0'; + + /* create the directory relative to current FID */ + tmkdir({ + .client =3D v9p, + .dfid =3D current_fid, + .name =3D name + }); + + /* just for locally tracking the current path length */ + g_string_append(path, name); + g_string_append(path, "/"); + + /* acquire new FID for the newly created directory */ + char *wnames[] =3D { name }; + current_fid =3D twalk({ + .client =3D v9p, + .fid =3D current_fid, + .nwname =3D 1, + .wnames =3D wnames + }).newfid; + + /* Reset descriptor pool to avoid exhaustion. The simplified + * virtio test driver does never free descriptors back to the pool + * after use, so we must manually reset it for the required high + * amount of 9p requests here. + */ + qvirtqueue_reset_pool(v9p->vq); + } + + /* check if the deepest directory is accessible */ + v9fs_attr attr =3D {}; + tgetattr({ + .client =3D v9p, + .fid =3D current_fid, + .request_mask =3D P9_GETATTR_BASIC, + .rgetattr.attr =3D &attr + }); + + g_string_free(path, TRUE); +} + static void cleanup_9p_local_driver(void *data) { /* remove previously created test dir when test is completed */ @@ -819,6 +886,8 @@ static void register_virtio_9p_test(void) &opts); qos_add_test("local/use_after_unlink", "virtio-9p", fs_use_after_unlin= k, &opts); + qos_add_test("local/deep_absolute_path", "virtio-9p", + fs_deep_absolute_path, &opts); } =20 libqos_init(register_virtio_9p_test); --=20 2.47.3 From nobody Mon Jun 8 06:36:53 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1780310294; cv=none; d=zohomail.com; s=zohoarc; b=PCDXaanDfWXJ9FB4odLhZw+etZ7FFsduW2In5elTFOnDVJZzOfSbiuo53D9amMz0tJlUKc59/Po0s3n+c4qV1eVKWYNkeucxf3YCRY1a4NWL8k731LGn9I/qpm6gk6p4aZgawmeWoytQRrlGfNrXullo1i+UPA7vuuIlG7YJ6Do= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1780310294; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=TxLaprz4ri2hkiNHwMAtO8UBAL7QE48u/lmxmv/skBo=; b=nZCybFjtF/0bl9PMe4VQeGWtGu9j67G0h+F+LrLDHl1B4c7GGof/H7H+61t219NeNZPQOuPvmj5fSOw3E/vJH/Mk9MFSaTBz37aKCMQlcNDM01p4wjoIQ8EE6fCGBFNxQqsVCM5/zc9uwgq91wnuz0UOz1SiJmCOOL52Gdnb7IA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1780310294120833.3029218779781; Mon, 1 Jun 2026 03:38:14 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wU013-0004V9-1l; Mon, 01 Jun 2026 06:37:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <5a8da7e979f1f56b1cab82c2354833f309f1a78f@kylie.crudebyte.com>) id 1wU011-0004Ux-Pn; Mon, 01 Jun 2026 06:37:03 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <5a8da7e979f1f56b1cab82c2354833f309f1a78f@kylie.crudebyte.com>) id 1wU010-00078R-Bb; Mon, 01 Jun 2026 06:37:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=TxLaprz4ri2hkiNHwMAtO8UBAL7QE48u/lmxmv/skBo=; b=TOxfr Raqc3vivR98bPzi8rSh6rCst6ABqvwvn9F2esW09uLHyYuj7T0z4XMagm5aUIWFbpB5wyf+ZQiEgM sYZQl0CQHd7LQKT5ZasLvfvCNzLYBS2PP37YcsF9npb8+UoxZL415KzS0EwSoSCAmOxJe/lpeYIUl OEHK9c6OsdbAFlpz4tbJBzkgALhgtN2jNdKfOFVsLga3ReNLk3UZ8qqlF5teZrzTO73XU71J7+ALn BEECfIDEr7XpUYelnl8L8olkleYYs6jNQ7/lCSb5YDxJviRYWp8m5SkzVEfOMDXCR8gdSxhdaoiMC DfIkpPfHKHtHkk89NwDM5iCFDlSJeQ3T2XEQx+K4WEM/0vsa1sp1sBhZPbXRCtMxKHTbv1Mt3YCWl ACPbsYM+xO3RjHcTyXL/68hiPVUUltT+TGfGaOEbsF8LX8S+0K+pTQrPDgMO4GykJjFiSml8+WOOz Vb8kxDo6Qz9gvefdg30o4S9A3eH83TuHh7QDHmtTCPzwrh+mLyKuw8h8xYV5OjGhCIQwBzuUqSZzF phvci3uFPqST6Mi1ihUx+ZiwS44LZaiu92PhVM8kBRpXoFRD2yVUTMbZzjOJxE2Yq5HCd12wy9j4h 2CQxeCU2RMb0qv0aMmd8wrxUPNGxf32yIRuEm+7mkCTPuUJugy2/lkt1pgXoiM=; Message-ID: <5a8da7e979f1f56b1cab82c2354833f309f1a78f.1780307575.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 01 Jun 2026 11:52:56 +0200 Subject: [PULL 7/7] 9pfs: fix missing rename lock in v9fs_co_readdir_many (CVE-2026-48004) To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Greg Kurz , Peter Maydell , sin99xx Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=5a8da7e979f1f56b1cab82c2354833f309f1a78f@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1780310294690158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: sin99xx v9fs_co_readdir_many() dispatches do_readdir_many() to a worker thread that reads V9fsFidState's path.data without holding a rename lock. A concurrent rename request, e.g. of its parent dir, causes the FID's absolute path to be altered by freeing the old path string and assigning a new one. This causes a heap-use-after-free race condition while do_readdir_many() is still accessing the old object. This allows a DoS by an unprivileged guest user. Fix this by wrapping the worker thread dispatch block within a pair of v9fs_path_read_lock() and v9fs_path_unlock() calls, like it's done at other places. Fixes: 2149675b195f ("9pfs: add new function v9fs_co_readdir_many()") Fixes: CVE-2026-48004 Reported-by: sin99xx Signed-off-by: sin99xx [Christian Schoenebeck: add commit log message] Link: https://lore.kernel.org/qemu-devel/E1wPkYi-000adH-4E@kylie.crudebyte.= com Signed-off-by: Christian Schoenebeck --- hw/9pfs/codir.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/9pfs/codir.c b/hw/9pfs/codir.c index bce7dd96e9..5568399343 100644 --- a/hw/9pfs/codir.c +++ b/hw/9pfs/codir.c @@ -220,13 +220,16 @@ int coroutine_fn v9fs_co_readdir_many(V9fsPDU *pdu, V= 9fsFidState *fidp, bool dostat) { int err =3D 0; + V9fsState *s =3D pdu->s; =20 if (v9fs_request_cancelled(pdu)) { return -EINTR; } + v9fs_path_read_lock(s); v9fs_co_run_in_worker({ err =3D do_readdir_many(pdu, fidp, entries, offset, maxsize, dosta= t); }); + v9fs_path_unlock(s); return err; } =20 --=20 2.47.3