Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2220035/?format=api
{ "id": 2220035, "url": "http://patchwork.ozlabs.org/api/patches/2220035/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260406024552.204973-1-phind.uet@gmail.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260406024552.204973-1-phind.uet@gmail.com>", "list_archive_url": null, "date": "2026-04-06T02:45:52", "name": "util/readline: Fix out-of-bounds access in readline_insert_char().", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "87c4aee6b1d513c71ac62f9cd2eb11131eaaaaeb", "submitter": { "id": 83910, "url": "http://patchwork.ozlabs.org/api/people/83910/?format=api", "name": "Nguyen Dinh Phi [SG]", "email": "phind.uet@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260406024552.204973-1-phind.uet@gmail.com/mbox/", "series": [ { "id": 498816, "url": "http://patchwork.ozlabs.org/api/series/498816/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=498816", "date": "2026-04-06T02:45:52", "name": "util/readline: Fix out-of-bounds access in readline_insert_char().", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498816/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2220035/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2220035/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=GEh4p740;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fptyV07Pwz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 12:46:57 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w9Zyb-0003Dw-JL; Sun, 05 Apr 2026 22:46:09 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <phind.uet@gmail.com>)\n id 1w9ZyZ-0003Cs-E6\n for qemu-devel@nongnu.org; Sun, 05 Apr 2026 22:46:07 -0400", "from mail-pj1-x1032.google.com ([2607:f8b0:4864:20::1032])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <phind.uet@gmail.com>)\n id 1w9ZyX-00036v-Ql\n for qemu-devel@nongnu.org; Sun, 05 Apr 2026 22:46:07 -0400", "by mail-pj1-x1032.google.com with SMTP id\n 98e67ed59e1d1-35c2fe0d90fso1962671a91.1\n for <qemu-devel@nongnu.org>; Sun, 05 Apr 2026 19:46:05 -0700 (PDT)", "from localhost.localdomain ([147.136.157.0])\n by smtp.googlemail.com with ESMTPSA id\n 98e67ed59e1d1-35dd369f414sm11639760a91.15.2026.04.05.19.46.02\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sun, 05 Apr 2026 19:46:03 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775443564; x=1776048364; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=Oxxjox1gJ+tGqFRrxpajMy1uEJ4ChHv4Ckz6L2imF0Q=;\n b=GEh4p740d7Uk3fsB9Hgur/qUeX+7BpARA5hPcOsXMs9fBzjXiVDW8p+epbUUMlDCMI\n fo6zc+xRqBA0r01veUd+jXKNhFAHFJM/qJnBhgwJUm+KM9CJygizLhRWq877FYNqGO0y\n ybUI6IRY7+jH0MmRXwX+GB9vw+2KLuQHlopnMjk44u5LH6eipYGIm1WFgQkBU9G9m9E6\n +KXDiIsOUx7XYUgzp+L5vjhUXjMW7CykG/i6+B135XEBgGeAysvkXL6tYSM+xuJL5CKq\n I5FxpcdBb4vq/6VevGLQ3cYBpiE6AQN7g1X9dkVIgxR8+jRt1G4Wx1y8f79bagCnDpU0\n bgIQ==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775443564; x=1776048364;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Oxxjox1gJ+tGqFRrxpajMy1uEJ4ChHv4Ckz6L2imF0Q=;\n b=jBLhSd8LZcnyez3Hqz97YKx0ogdE7bEbpSYBWQEGYZNjsEWHMoc4MWTr3efkF34EfG\n XKZ3vKj5MuPP7b3b3pLqavpxgjz+33UbUZESuaKxI79FMLgyy4Ci/y0dZQxTdWptGa1l\n 91MGw15mfp3gklftIKVnBjESrZjJ9e3YwbkBTqwjMqhHzIT+A9DPQYfgM9BRIqogJ3BK\n k91KU8R7NwilTf0LxSjahi9NCvIN2Zo4UhfagCq4Pp47EaoarZYwf3nq//c38+o+Sb/r\n TPBnC5YdCaiaGdmZBPQoYwHMjIX7goM/qDQ6RXVtIt4XaNxjuAd1qH6MkYck6t46CriQ\n +i4w==", "X-Forwarded-Encrypted": "i=1;\n AJvYcCWReWw94F1gFrO58Q8JD90vAOd1MIg/8rjxtrspcGnbruzX9+wPtzV+WH7sKYf6jgugehscX9jjQrSP@nongnu.org", "X-Gm-Message-State": "AOJu0YxIyFjk3d51hltlUNgOKbqO5L5cc706Z2MCz8EeqMpiYkoMEFng\n D7/qR8tQGPFhur4PthH2Wu13kNV4/0blAbr61cc3cniLIPOzrlW+7DZG", "X-Gm-Gg": "AeBDietuv/AJ/xEypg4JvzLXHqx3r2dQDSeSlGkatT9nLw1uAGs53qvcIfEX1ko21Aw\n YK/7s9tUBQOqIGmoySR47ZQIwnQYt8a2puTzC9kq80s8eU6PPz2ngmGmyf72vAYfI0IkGy6XXWX\n 8pdTMWgQzPbt25eaJsyrh2YS40wUe8HiU0mwtahrgkbmTzN6DCtEcRFV06s/YHERUEihXO4aTTB\n PwF7KBitTcjEn9NHeUn9GVX0lrJQNSmNM4ewwYg6t5jxcr/HglWhDYqk2OjLbYvjZW9KcJM/rAQ\n rByhsNPXmUFmgn4JXhbEbn+kZu2xNYC6nEoDc1rDow9yPVjD6Y7e3kFUZz3pgghoEpGVvvPob+F\n FN749A9B/mqPYMuXzi600PRb21Dd9W8YepLjWUCT3QFxdWGDMyFvew9ftNPn7tNcIIbtOytj9af\n ysgAb8dASo6Nk1BcEg6yEWLTQnx5sRqVjxyAM=", "X-Received": "by 2002:a17:90b:4ecc:b0:35c:30a8:32a with SMTP id\n 98e67ed59e1d1-35de67e8aa9mr10043037a91.9.1775443564223;\n Sun, 05 Apr 2026 19:46:04 -0700 (PDT)", "From": "phind.uet@gmail.com", "To": "marcandre.lureau@gmail.com", "Cc": "Nguyen Dinh Phi <phind.uet@gmail.com>,\n\tqemu-devel@nongnu.org", "Subject": "[PATCH] util/readline: Fix out-of-bounds access in\n readline_insert_char().", "Date": "Mon, 6 Apr 2026 10:45:52 +0800", "Message-ID": "<20260406024552.204973-1-phind.uet@gmail.com>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=2607:f8b0:4864:20::1032;\n envelope-from=phind.uet@gmail.com; helo=mail-pj1-x1032.google.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "From: Nguyen Dinh Phi <phind.uet@gmail.com>\n\nCurrently, the readline_insert_char() function is guarded by the cursor\nposition (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size).\nThe current check is:\n\tif (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)\n\nThis logic is flawed because if the command buffer is full and a user moves the\ncursor backward (e.g. by sending left arrow key), cmd_buf_index can be\ndecreased without descreasing of buffer size.\nThis allow subsequent insertions to increase cmd_buf_size past its maximum\nlimit of rs->cmd_buf.\n\nBecause in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is\nimmediately followed by the cmd_buf_index integer, once the buffer size is\nsufficiently inflated, the memmove() operation inside readline_insert_char()\ncan write past the end of cmd_buf[] and overwrites cmd_buf_index itself.\n\nThe subsequent line:\n\trs->cmd_buf[rs->cmd_buf_index] = ch;\n\nthen writes the input character to an address determined by the now-corrupted\nindex.\n\nBy providing a specifically crafted input sequence via HMP, this flaw can be\nused to redirect the write operation to overwrite any field within the\nReadLineState structure, which can lead to unpredictable behavior or\napplication crashes.\n\nFix this by adding the guard to check for buffer fullness.\n\nSigned-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>\n---\n util/readline.c | 4 +++-\n 1 file changed, 3 insertions(+), 1 deletion(-)\n---\nV2:\n use assert() to check the value of cmd_buf_index before the\n insertion.", "diff": "diff --git a/util/readline.c b/util/readline.c\nindex 0f19674f52..e2664e48ca 100644\n--- a/util/readline.c\n+++ b/util/readline.c\n@@ -84,7 +84,9 @@ static void readline_update(ReadLineState *rs)\n \n static void readline_insert_char(ReadLineState *rs, int ch)\n {\n- if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {\n+ assert(rs->cmd_buf_index <= rs->cmd_buf_size);\n+\n+ if (rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {\n memmove(rs->cmd_buf + rs->cmd_buf_index + 1,\n rs->cmd_buf + rs->cmd_buf_index,\n rs->cmd_buf_size - rs->cmd_buf_index);\n", "prefixes": [] }