{"id":2220049,"url":"http://patchwork.ozlabs.org/api/patches/2220049/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260406050454.284873-2-phind.uet@gmail.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260406050454.284873-2-phind.uet@gmail.com>","list_archive_url":null,"date":"2026-04-06T05:04:54","name":"[v2] util/readline: Fix out-of-bounds access in readline_insert_char().","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"87c4aee6b1d513c71ac62f9cd2eb11131eaaaaeb","submitter":{"id":83910,"url":"http://patchwork.ozlabs.org/api/people/83910/?format=json","name":"Nguyen Dinh Phi [SG]","email":"phind.uet@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260406050454.284873-2-phind.uet@gmail.com/mbox/","series":[{"id":498822,"url":"http://patchwork.ozlabs.org/api/series/498822/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=498822","date":"2026-04-06T05:04:54","name":"[v2] util/readline: Fix out-of-bounds access in readline_insert_char().","version":2,"mbox":"http://patchwork.ozlabs.org/series/498822/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220049/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220049/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=CijviWn1;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fpy2z3GTLz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 15:06:03 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w9c9F-0002Mi-LL; Mon, 06 Apr 2026 01:05:17 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <phind.uet@gmail.com>)\n id 1w9c9E-0002MO-Aa\n for qemu-devel@nongnu.org; Mon, 06 Apr 2026 01:05:16 -0400","from mail-pf1-x429.google.com ([2607:f8b0:4864:20::429])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <phind.uet@gmail.com>)\n id 1w9c9C-0001nx-P2\n for qemu-devel@nongnu.org; Mon, 06 Apr 2026 01:05:16 -0400","by mail-pf1-x429.google.com with SMTP id\n d2e1a72fcca58-82a7ebc729dso1411262b3a.3\n for <qemu-devel@nongnu.org>; Sun, 05 Apr 2026 22:05:13 -0700 (PDT)","from localhost.localdomain ([147.136.157.2])\n by smtp.googlemail.com with ESMTPSA id\n d2e1a72fcca58-82cf9c9cbdfsm16036202b3a.53.2026.04.05.22.05.10\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sun, 05 Apr 2026 22:05:11 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775451913; x=1776056713; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=Oxxjox1gJ+tGqFRrxpajMy1uEJ4ChHv4Ckz6L2imF0Q=;\n b=CijviWn1FcCFd0x+eJYVxJ/vU/SomF9vOwC2P4U/UnJmMmG0/h1VmJIoNDhaTbwzFb\n TzCt/CrYcgFNaVr5m1TJTgwmkD0E+hxXGu8/jOgDsWJYbODJpALiG8LAqvlZyTbd8cYz\n 0tq0xOLGdKrzUlteVbpfo3T04b2vWC7ReAJSkToQv2pPz2lixnWNOf8v5P3W+67PBQk/\n KDI/lxhCYRaVSnDfz0BrClJCp/DZTLNxuk8mOgfKVGL4iOXkc5XPCYdwrib3kChhP7Nd\n fU1Y8g19PWCM5mLLHFk+f+Z5yCCw1HcLyz6Jht8WK8ZehkzGHhS4rZHkIGnDp2lfRw/t\n ttrw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775451913; x=1776056713;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Oxxjox1gJ+tGqFRrxpajMy1uEJ4ChHv4Ckz6L2imF0Q=;\n b=qtH/17Sa/sguCwEKMYclGGJUwa0gI1LzwsBXRGS+jiqoxMwjEchQoV8tb/BHP9mKtW\n RwpqNLChl82ODQH3gaxZ+orx/Wp08E58FmsdwKPeeEZLQeBSwnK85ySrRNiZJ9v7ast0\n dmqsQkpVWGSAEUy9pmVsMmorTjDTFGTL6JblIufBeWTLDSDwyaGUn+c9R0wE/sD5BNqW\n idk1j93s3awbnZ83xi6QX6dup89//Rr6zf30Mu7wX+Mqf/uUyEkbhaigkY9goJ5Vft0M\n GH3/2hz5dAJtU8fHtmhSU4WJlK8Srg/VUq0GP0xe51hkSM/Bh/w4kfwJol5nsnMdY6sp\n fEgw==","X-Forwarded-Encrypted":"i=1;\n AJvYcCWLPNcD0FZPVfCfAikksyeVohiveyOsgJD0LZQXMGpgRF//e9Upwoa3UxW9jTiSYzBJ08zB8wYMLGXa@nongnu.org","X-Gm-Message-State":"AOJu0YyuJnZiLga6yO+S8oKzosh4b1LCYzIhYm39/Nb3UAQ6Hqb5tkgp\n tE0v5Dwp/1yn3uvi6cAY0vp0eMOJ707vD3DJ4x/2UEXpaKa8DxwoMeSG+JMnCQ==","X-Gm-Gg":"AeBDiesXsNvQp4mpkeBS5V5Lbl6SAHPmEpmT9HkfXSl4HJgjnjhH0kj/j3XgsmCU8Mc\n 2Tq0fhXZSjJY0xNkHfVU99vqNm/nbATTWI5om6grmFgx/fqlXlwRrRpo7+968YwNHhck+7pChrW\n CrbVVCjnbkZ4v2j6tnrwtOcNWPml67YhSYR3sOnXtstNBb9S/TgdzwbQ8pn7anXF2V0O9HNqWGu\n 6cYf4GxSo+aoceCSwp1n1eaUqvIhWuOGQ0F8quLBgIpSiPEfNpWHKLVUD/PMS4UR6Ij3qkK4Y8K\n mAuWrc+Wsj5E2gs5pL2eHL8MhjmHypko3eyAFq+JGQqblTVlWLwtMg5C+ZwpvcgzFoK9zca9Y36\n pv5DMYojr7hss/sBYNR4Pr6xrQpAXOsAbmQKDGxBMGHGPGGU4NF+QRexv8slhYkqENBNCvuL18X\n lvC6ktQC/Y9lwG7LcNLe6BHD/Kmr8B4/FhtnE=","X-Received":"by 2002:a05:6a00:1d9e:b0:82c:e19d:cabd with SMTP id\n d2e1a72fcca58-82d0da2afbcmr10637317b3a.10.1775451912555;\n Sun, 05 Apr 2026 22:05:12 -0700 (PDT)","From":"phind.uet@gmail.com","To":"marcandre.lureau@gmail.com","Cc":"Nguyen Dinh Phi <phind.uet@gmail.com>,\n\tqemu-devel@nongnu.org","Subject":"[PATCH v2] util/readline: Fix out-of-bounds access in\n readline_insert_char().","Date":"Mon,  6 Apr 2026 13:04:54 +0800","Message-ID":"<20260406050454.284873-2-phind.uet@gmail.com>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2607:f8b0:4864:20::429;\n envelope-from=phind.uet@gmail.com; helo=mail-pf1-x429.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"From: Nguyen Dinh Phi <phind.uet@gmail.com>\n\nCurrently, the readline_insert_char() function is guarded by the cursor\nposition (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size).\nThe current check is:\n\tif (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)\n\nThis logic is flawed because if the command buffer is full and a user moves the\ncursor backward (e.g. by sending left arrow key), cmd_buf_index can be\ndecreased without descreasing of buffer size.\nThis allow subsequent insertions to increase cmd_buf_size past its maximum\nlimit of rs->cmd_buf.\n\nBecause in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is\nimmediately followed by the cmd_buf_index integer, once the buffer size is\nsufficiently inflated, the memmove() operation inside readline_insert_char()\ncan write past the end of cmd_buf[] and overwrites cmd_buf_index itself.\n\nThe subsequent line:\n\trs->cmd_buf[rs->cmd_buf_index] = ch;\n\nthen writes the input character to an address determined by the now-corrupted\nindex.\n\nBy providing a specifically crafted input sequence via HMP, this flaw can be\nused to redirect the write operation to overwrite any field within the\nReadLineState structure, which can lead to unpredictable behavior or\napplication crashes.\n\nFix this by adding the guard to check for buffer fullness.\n\nSigned-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>\n---\n util/readline.c | 4 +++-\n 1 file changed, 3 insertions(+), 1 deletion(-)\n---\nV2:\n  use assert() to check the value of  cmd_buf_index before the\n  insertion.","diff":"diff --git a/util/readline.c b/util/readline.c\nindex 0f19674f52..e2664e48ca 100644\n--- a/util/readline.c\n+++ b/util/readline.c\n@@ -84,7 +84,9 @@ static void readline_update(ReadLineState *rs)\n \n static void readline_insert_char(ReadLineState *rs, int ch)\n {\n-    if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {\n+    assert(rs->cmd_buf_index <= rs->cmd_buf_size);\n+\n+    if (rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {\n         memmove(rs->cmd_buf + rs->cmd_buf_index + 1,\n                 rs->cmd_buf + rs->cmd_buf_index,\n                 rs->cmd_buf_size - rs->cmd_buf_index);\n","prefixes":["v2"]}