Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2219062/?format=api
{ "id": 2219062, "url": "http://patchwork.ozlabs.org/api/patches/2219062/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402105150.274595-1-phind.uet@gmail.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260402105150.274595-1-phind.uet@gmail.com>", "list_archive_url": null, "date": "2026-04-02T10:51:49", "name": "util/readline: Fix out-of-bounds access in readline_insert_char().", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "0e1149d934264d66c6c1096235cea67557b84059", "submitter": { "id": 83910, "url": "http://patchwork.ozlabs.org/api/people/83910/?format=api", "name": "NGUYEN DINH PHI", "email": "phind.uet@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402105150.274595-1-phind.uet@gmail.com/mbox/", "series": [ { "id": 498470, "url": "http://patchwork.ozlabs.org/api/series/498470/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=498470", "date": "2026-04-02T10:51:49", "name": "util/readline: Fix out-of-bounds access in readline_insert_char().", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498470/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2219062/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2219062/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=F4fnbADI;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmf5b1x6yz1yGH\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 02 Apr 2026 22:00:19 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w8Fly-000384-Ix; Thu, 02 Apr 2026 06:59:38 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <phind.uet@gmail.com>)\n id 1w8Fle-0002mu-4w\n for qemu-devel@nongnu.org; Thu, 02 Apr 2026 06:59:25 -0400", "from mail-pj1-x1031.google.com ([2607:f8b0:4864:20::1031])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <phind.uet@gmail.com>)\n id 1w8FlY-0005NY-DL\n for qemu-devel@nongnu.org; Thu, 02 Apr 2026 06:59:13 -0400", "by mail-pj1-x1031.google.com with SMTP id\n 98e67ed59e1d1-35c1d101355so280293a91.1\n for <qemu-devel@nongnu.org>; Thu, 02 Apr 2026 03:59:06 -0700 (PDT)", "from localhost.localdomain ([147.136.157.3])\n by smtp.googlemail.com with ESMTPSA id\n 98e67ed59e1d1-35dbe41b11fsm7512715a91.0.2026.04.02.03.59.03\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 02 Apr 2026 03:59:04 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775127545; x=1775732345; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=84lxbSE2/pGx4RncQfTFwrbz2zjjlgBjhGePjquQX8s=;\n b=F4fnbADIEsutzGhEKGy5fT7moTPzEtnH9aOwDb3oFALiJ2rR7XgLjLOOsHL8BmOpQH\n 8wQYlVnw3b3sy6LbHLaxjTBxlH7XVVTQ48fdOYF34O9sEE/R2ZsnLyEhxGRYcptNsD5U\n ozJuHBdHZqqfbT5kVPHIGERUKx8OtJIARbI5x3xERVm8VEBN/ZL75oLwSKwfz0MDcgIv\n lPEA9zR3CKmZQupUd8tnqICvw4ToUAhYbvvm2DuurK9PkrwVpl76+VZ/YgfHcebezgI6\n dpbfidOLSV4qJyiFqhZWEODKU6Bq/QfHCTu1JSXujuDPxuowHDSf/vMnOSo+fh1LtGbF\n ZUxA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775127545; x=1775732345;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=84lxbSE2/pGx4RncQfTFwrbz2zjjlgBjhGePjquQX8s=;\n b=PDRzuRKVTx3sVwMJBSxAGX8vSNgvyGye0ajF+1ANZl8khVE4zau/xzAna0YH2DJfbf\n UMBiHD2aMpX04BvDOD9WOVt0TDJXIXECmJZ1FiWgXM3f/Af1Ct5eAR6omJC1Vvvj4mjN\n svwMPXq6CljyNCi5+FjXXJxXWl2cHXOdHsxyNXxUhLN6elmidvXgCSJBnW8vzSQ3yD3n\n Qo88PldPimRxPGPNVJpdJYBPmVFyAduHCf7vcJHLLnG8JiDyFLIuH+iZukeEftizdTOp\n dctPBp9B6TRQXLDW3A3CcmhGC0M0maCOsM4lz4cPwQKT65c5DkvefjVrEdhoNSt83sOD\n 781w==", "X-Forwarded-Encrypted": "i=1;\n AJvYcCUQPPu+jz7hNLIOMsWXCgD1KRJIA+ECFCsTERdCl6V2XvFglY+0ycpC3sTPWkskmX0Y+icPMfKKGzJU@nongnu.org", "X-Gm-Message-State": "AOJu0YzRfhWTmonlhA6WZY9yclYOKutqaNIXDeAlSwwO17MuCGtaQmu+\n PmvQA+RrxjiaC9uStfXSuGJ/xLrdiJ+/L1y5BNbg1+uEm1qgSIu4EAy3KmMqQg==", "X-Gm-Gg": "AeBDietrgZ0JnBrOlBz6JsNoNPQIcMGFYeKOGIKvPBVZSBEirQRNvz5CFKfGB8HXmnw\n OUAPtx5srU6D7WmAVTtOT+7SWP2fQjx1egu0IhNI1FR6z9IiENY8HAvT9gG+4mQzFk/onAxPcdD\n Qh8hp7lhPc+19Hvnqtpt9KvK3HA2Vt5oknYhxxxZlBa7vmCiFKOMmXp0XlsXWMiU+5YdPSmPuab\n EyTRXN0L4tbs1y3DEupsvueBCH5r6f6H47No5ejVEAOTmypnf6c/pM2zkAra5sYHywKXWr0IyAS\n LacTr9HmicQ+YLTQwgd+hFh0qQMdKlyECulF34+Fa5UHV3ZNOr1/fjfjbdfhsxigmArnMZ+/onU\n FnMMMon5Vcgc1x3hG+Mf9/pVkOl3ENLzeXSVgFFgmVuOvJucMfY1ciNkKC2GQXcMPRIHU+o5+ea\n nUj+sXGcGL/aPQyrKjBYuPd6c7BtUPO15ky+w=", "X-Received": "by 2002:a17:90b:1e53:b0:359:d54:846f with SMTP id\n 98e67ed59e1d1-35dc6e5f96cmr6711752a91.7.1775127545433;\n Thu, 02 Apr 2026 03:59:05 -0700 (PDT)", "From": "phind.uet@gmail.com", "To": "", "Cc": "Nguyen Dinh Phi <phind.uet@gmail.com>,\n\tqemu-devel@nongnu.org", "Subject": "[PATCH] util/readline: Fix out-of-bounds access in\n readline_insert_char().", "Date": "Thu, 2 Apr 2026 18:51:49 +0800", "Message-ID": "<20260402105150.274595-1-phind.uet@gmail.com>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=2607:f8b0:4864:20::1031;\n envelope-from=phind.uet@gmail.com; helo=mail-pj1-x1031.google.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "From: Nguyen Dinh Phi <phind.uet@gmail.com>\n\nCurrently, the readline_insert_char() function is guarded by the cursor\nposition (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size).\nThe current check is:\n\tif (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)\n\nThis logic is flawed because if the command buffer is full and a user moves the\ncursor backward (e.g. by sending left arrow key), cmd_buf_index can be\ndecreased without descreasing of buffer size.\nThis allow subsequent insertions to increase cmd_buf_size past its maximum\nlimit of rs->cmd_buf.\n\nBecause in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is\nimmediately followed by the cmd_buf_index integer, once the buffer size is\nsufficiently inflated, the memmove() operation inside readline_insert_char()\ncan write past the end of cmd_buf[] and overwrite cmd_buf_index itself.\n\nThe subsequent line:\n\trs->cmd_buf[rs->cmd_buf_index] = ch;\n\nthen writes the input character to an address determined by the now-corrupted\nindex.\n\nBy providing a specifically crafted input sequence via HMP, this flaw can be\nused to redirect the write operation to overwrite any field within the\nReadLineState structure, which can lead to unpredictable behavior or\napplication crashes.\n\nFix this by adding the guard to check for buffer fullness and ensuring the \nindex remains valid.\n\nSigned-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>\n---\n util/readline.c | 3 ++-\n 1 file changed, 2 insertions(+), 1 deletion(-)", "diff": "diff --git a/util/readline.c b/util/readline.c\nindex 0f19674f52..6b1de1094a 100644\n--- a/util/readline.c\n+++ b/util/readline.c\n@@ -84,7 +84,8 @@ static void readline_update(ReadLineState *rs)\n \n static void readline_insert_char(ReadLineState *rs, int ch)\n {\n- if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {\n+ if (rs->cmd_buf_index <= rs->cmd_buf_size &&\n+ rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {\n memmove(rs->cmd_buf + rs->cmd_buf_index + 1,\n rs->cmd_buf + rs->cmd_buf_index,\n rs->cmd_buf_size - rs->cmd_buf_index);\n", "prefixes": [] }