[{"id":3683462,"web_url":"http://patchwork.ozlabs.org/comment/3683462/","msgid":"<20260428082151.3234483-1-physicalmtea@gmail.com>","list_archive_url":null,"date":"2026-04-28T08:21:51","subject":"Please ignore my [PATCH] 9pfs: fix deep path truncation in V9fsPath","submitter":{"id":93269,"url":"http://patchwork.ozlabs.org/api/people/93269/","name":"Jia Jia","email":"physicalmtea@gmail.com"},"content":"Hi,\n\nPlease ignore my [PATCH] 9pfs: fix deep path truncation in V9fsPath.\n\nSorry. This issue has already been submitted, and the existing GitLab\nreport already includes a concrete fix proposal:\nhttps://gitlab.com/qemu-project/qemu/-/work_items/3358\n\nPlease ignore my patch, and sorry for the noise.\n\nThanks,\nJia Jia","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=enUmztD7;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4hL36qM1z1xrS\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 23:36:43 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wHibS-0005We-96; Tue, 28 Apr 2026 09:35:54 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <physicalmtea@gmail.com>)\n id 1wHdhg-0004lv-PU\n for qemu-devel@nongnu.org; Tue, 28 Apr 2026 04:22:00 -0400","from mail-pj1-x102c.google.com ([2607:f8b0:4864:20::102c])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <physicalmtea@gmail.com>)\n id 1wHdhf-0000SA-2b\n for qemu-devel@nongnu.org; Tue, 28 Apr 2026 04:22:00 -0400","by mail-pj1-x102c.google.com with SMTP id\n 98e67ed59e1d1-35fc2b18363so11749846a91.0\n for <qemu-devel@nongnu.org>; Tue, 28 Apr 2026 01:21:58 -0700 (PDT)","from localhost.localdomain ([114.249.134.218])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-36490fbc41bsm2065290a91.13.2026.04.28.01.21.54\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 01:21:56 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777364517; x=1777969317; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=5iH/8nHXuDSaocTzGMvuAMz0SIDQSlYOBoUtR+nV0VA=;\n b=enUmztD7fA8dzlJPdnlOCAxhsLPxq5U3W5IVOkvFglrXlbK/hzP42JsKNj7BEVhKoN\n wdCMWDyaA8tFjf9tGVD49LwJmW1dgJSkOMnbSzXGluep52jwAHU/fliYFUkFB7zA55PK\n HNBS/2CF4bUHwEwo44eONPuTvgsuoSO3E2hmaqh2YUfv4sdUIuaiaGeIz6Kp1ugI54Vk\n XkPixZJlpoIIKiAp87yIMtzVjNc2VM7sxXrpZ66YzomPqIqaXIAe60JMKz+Egnhcl3N7\n tNO36Xb8oJmzXrK2OCtmRzXS87Y6lhOuKX+hp947/y0hXflGSzbt6Tln7yHTUmj4pfzR\n lyug==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777364517; x=1777969317;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=5iH/8nHXuDSaocTzGMvuAMz0SIDQSlYOBoUtR+nV0VA=;\n b=Skumsmf3C6XLjOucJkdT0xh8qOiKy8tzRqER0nVc3/AWICBxoGiSOgbEySFoh47YtS\n tUKz36ynDMMHdit4KAad43+rSioijn9KPxP3i7cOa0+c1i+WEmgI1xaYKKy6tWkPf0jq\n tp21ts3/3EB2JMRSA1Xgu6hGdJjDc3L4PnP235/epT4PrQagY3kcRLZexlve6gST9sEs\n qwJGllggWVsYBJ66uH8djiVC8yI+lht8zWb85DQ23kHgEXuJ2QID6zQA/ztvgXGQfuGz\n YqdLv6Qc3cxhH/c2KcwjG8j/kYSQc5raFyF4H0rz1nnSHDsUm6OPICsIkZaX6TLgeD3a\n qZsQ==","X-Gm-Message-State":"AOJu0YxF6Na2aHExgLRRHfKSB/JltHwLlOCvQWt1/Pz2pvyTKBTq/h8q\n KJ9htxDlZuHT19oqLV2sXemV3CCE7wWKp7lhIGtwvjmY6TMFo85r8TGgfsEhSW/Z","X-Gm-Gg":"AeBDieuzuqQsJJGfc3tVDRFzJaOZx1wcnMEkTN8nEaIy+lxdnVVBBgO4WPACCbQ3wD6\n 34ft7DcqFv0t6Smka6HQUBdGYjaYjz6o4rXZtAOXrOg99aoEuB6sTEN/CbHth2sjE7TTKlqsMHP\n TVYjW0iSqwwRSkE/8QNS6UlX0uSjy0KL5gCNVWrKNp2j8DQyhKeahAEVow7VxD/EsGRbxOwAk6U\n KgA+bTWOoLv928UMaZZ3HoHugpKMdkJ1aWq2VtaaRNSfq8z9gDOopS4SB7WJtWO+BWWLKqmwPzM\n TI2kTyngDSNWXkm0GCd3hRqVP4U+v6mnhPjABUpwBjx1C99Erm2lHU13LM0VqNOyDAt5dJJMTlo\n lgWecrRouhGTN8Fjla6xoXiuqZ30q7gTLMSZ53vRPP2biUM6YbaM6F03b1/1ayr1U2u7SXFVb8a\n OJB+QHGk63tA1Ib/VajKkK/lRVAdcjeLTbm3FfHvR34vMOpX5PmsA=","X-Received":"by 2002:a17:90b:3850:b0:35a:329:73d8 with SMTP id\n 98e67ed59e1d1-36491ff66cdmr2288267a91.4.1777364516774;\n Tue, 28 Apr 2026 01:21:56 -0700 (PDT)","From":"Jia Jia <physicalmtea@gmail.com>","To":"qemu-devel@nongnu.org","Cc":"Christian Schoenebeck <qemu_oss@crudebyte.com>,\n Greg Kurz <groug@kaod.org>,\n qemu-stable@nongnu.org","Subject":"Please ignore my [PATCH] 9pfs: fix deep path truncation in V9fsPath","Date":"Tue, 28 Apr 2026 16:21:51 +0800","Message-Id":"<20260428082151.3234483-1-physicalmtea@gmail.com>","X-Mailer":"git-send-email 2.34.1","In-Reply-To":"<20260428074614.3169999-1-physicalmtea@gmail.com>","References":"<20260428074614.3169999-1-physicalmtea@gmail.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2607:f8b0:4864:20::102c;\n envelope-from=physicalmtea@gmail.com; helo=mail-pj1-x102c.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-Mailman-Approved-At":"Tue, 28 Apr 2026 09:35:52 -0400","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}},{"id":3684544,"web_url":"http://patchwork.ozlabs.org/comment/3684544/","msgid":"<1954333.tdWV9SEqCh@weasel>","list_archive_url":null,"date":"2026-04-30T08:57:32","subject":"Re: [PATCH] 9pfs: fix deep path truncation in V9fsPath","submitter":{"id":77616,"url":"http://patchwork.ozlabs.org/api/people/77616/","name":"Christian Schoenebeck","email":"qemu_oss@crudebyte.com"},"content":"On Tuesday, 28 April 2026 09:46:14 CEST Jia Jia wrote:\n> V9fsPath.size tracks the length of backend path data. Storing it in a\n> uint16_t truncates local backend paths longer than 65535 bytes, so later\n> path copies can end up much smaller than the string data they are\n> supposed to describe.\n> \n> A guest can reach this with normal 9p filesystem operations by creating\n> and walking a sufficiently deep directory tree on the local backend. On\n> an ASan build, calling readdir() in that deep directory aborts the host\n> process with:\n> \n>   ERROR: AddressSanitizer: heap-buffer-overflow\n>     #0 __interceptor_strrchr\n>     #1 g_path_get_dirname\n>     #2 local_lstat\n>     #3 v9fs_co_lstat\n>     #4 v9fs_getattr\n> \n> Fix this by storing V9fsPath lengths in size_t.\n> \n> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3358\n> Cc: qemu-stable@nongnu.org\n> Signed-off-by: Jia Jia <physicalmtea@gmail.com>\n> ---\n\nHi Jia, thanks for looking at this issue!\n\n> Runtime reproducer:\n>   confirmed on current master (11.0.50) with an x86_64 ASan build and a\n>   local 9p backend\n> \n>   guest actions:\n>     - mount the 9p share\n>     - create a 260-level directory tree with 255-byte names\n>     - walk back to the deepest directory\n>     - call readdir()\n> \n>   host abort:\n>     ERROR: AddressSanitizer: heap-buffer-overflow\n>       #0 __interceptor_strrchr\n>       #1 g_path_get_dirname\n>       #2 local_lstat\n>       #3 v9fs_co_lstat\n>       #4 v9fs_getattr\n> \n>  fsdev/file-op-9p.h | 2 +-\n>  1 file changed, 1 insertion(+), 1 deletion(-)\n> \n> diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h\n> index b85c9934def..e8d0661c4b5 100644\n> --- a/fsdev/file-op-9p.h\n> +++ b/fsdev/file-op-9p.h\n> @@ -112,7 +112,7 @@ struct FsContext {\n>  };\n> \n>  struct V9fsPath {\n> -    uint16_t size;\n> +    size_t size;\n>      char *data;\n>  };\n>  P9ARRAY_DECLARE_TYPE(V9fsPath);\n\nI fear it is not that simple. Just changing this data type would only move the \nproblem and furthermore turn a small OOB into a giant OOB: g_vasprintf() \n(called by v9fs_path_sprintf()) has as return type gint -> int, and \nv9fs_path_sprintf() returns -1 on error, and this change would then implicitly \ncast -1 to a giant unsigned value.\n\nAFAICS the only way for truly fixing this is by getting rid of dragging full \npaths around with FIDs in general, which would be a massive change though.\n\nOn short term I only see a possible mitigation: adding error handling to \nv9fs_path_sprintf(), and for FIDs where v9fs_fix_path() fails, making the fids \ninaccessible for good (i.e. immediately closing those FIDs).\n\n/Christian","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (4096-bit key;\n unprotected) header.d=crudebyte.com header.i=@crudebyte.com\n header.a=rsa-sha256 header.s=kylie header.b=VG3YH0Ay;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5p3l71Vyz1xqf\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 18:58:11 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wINDI-0006A8-E0; Thu, 30 Apr 2026 04:57:40 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <qemu_oss@crudebyte.com>)\n id 1wINDG-00069k-Nm; Thu, 30 Apr 2026 04:57:38 -0400","from kylie.crudebyte.com ([5.189.157.229])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <qemu_oss@crudebyte.com>)\n id 1wINDE-0001id-UY; Thu, 30 Apr 2026 04:57:38 -0400"],"DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n d=crudebyte.com; s=kylie; h=Content-Type:Content-Transfer-Encoding:\n MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:\n Content-ID:Content-Description;\n bh=IWwvq8hRTp+RgtNm5y9MAV6GLt7GzGdhEXG+fHLNIJs=; b=VG3YH0AyUqjqgEmrfN6dfbBcAT\n byHfmtpXsdGqFx6NM0Xmu4HCBy8sA/dM3xHqBnVEjpa1u/iKpiNirjG/W82tU0t3sBQ4Yk/eoi142\n THhaw17WdBnowkbzUHP9OJryDCAonZIFFPjtBi+D1nmbnViGx/BCjl1C4bxUNY7GasmJ29jtUEdeG\n GrvVGbJxYUYloqex2bu9EEx+B2GLUrskxoSP3RsJpAC2izYH/IzjzRZ4dsjnagNYEYWQCCIieJkEC\n EL1d0rCGw3243J2YsnOSOIHANg8C1OjNrd3k2QDN+jMX7DN9QGI2aB23usgY6e66aZfVC4fapW492\n GP7Lw6qNCmT9wOGNXWqrxUYKJ4qKBPHKiYp5GgoBXjOuahM/Nvk6Ip+pKpENFxPYYxAAkJRRiNsiw\n Q2BSJfmV55P9uxVx5nx/Q65f1ycOd153oBindFOR28F9ly4MqDTDF+Mpg/+zjPPJa4FkJCiT/JyxD\n m7mD/rXb9/XiDiO7LohZYohxJWjRwbC5Kd4t7xg909aWkD8OQgEUoqSjzUpBdPm+daIgLTLcjCD4q\n G0o7ekiDKnDeVQohQxuaGng4kgGgJid++9far5JdlyEjQQIAVaqHKUM5m9ZmpmMVZqpQQUB/EYkFj\n YyMq1vTFiVMvthL/qH01HO6DAfwk1sjWqDs/4Hfjg=;","From":"Christian Schoenebeck <qemu_oss@crudebyte.com>","To":"qemu-devel@nongnu.org","Cc":"Greg Kurz <groug@kaod.org>, qemu-stable@nongnu.org,\n Jia Jia <physicalmtea@gmail.com>","Subject":"Re: [PATCH] 9pfs: fix deep path truncation in V9fsPath","Date":"Thu, 30 Apr 2026 10:57:32 +0200","Message-ID":"<1954333.tdWV9SEqCh@weasel>","In-Reply-To":"<20260428074614.3169999-1-physicalmtea@gmail.com>","References":"<20260428074614.3169999-1-physicalmtea@gmail.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"7Bit","Content-Type":"text/plain; charset=\"utf-8\"","Received-SPF":"pass client-ip=5.189.157.229;\n envelope-from=qemu_oss@crudebyte.com; helo=kylie.crudebyte.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n SPF_HELO_PASS=-0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]