mirror of
https://github.com/qemu/qemu.git
synced 2026-07-08 17:46:17 +00:00
util/readline: Fix out-of-bounds access in readline_insert_char().
Currently, the readline_insert_char() function is guarded by the cursor position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size). The current check is: if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) This logic is flawed because if the command buffer is full and a user moves the cursor backward (e.g. by sending left arrow key), cmd_buf_index can be decreased without descreasing of buffer size. This allow subsequent insertions to increase cmd_buf_size past its maximum limit of rs->cmd_buf. Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is immediately followed by the cmd_buf_index integer, once the buffer size is sufficiently inflated, the memmove() operation inside readline_insert_char() can write past the end of cmd_buf[] and overwrites cmd_buf_index itself. The subsequent line: rs->cmd_buf[rs->cmd_buf_index] = ch; then writes the input character to an address determined by the now-corrupted index. By providing a specifically crafted input sequence via HMP, this flaw can be used to redirect the write operation to overwrite any field within the ReadLineState structure, which can lead to unpredictable behavior or application crashes. Fix this by adding the guard to check for buffer fullness. Cc: qemu-stable@nongnu.org Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com> Message-id: 20260406050454.284873-2-phind.uet@gmail.com Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
committed by
Peter Maydell
parent
e29302cbe6
commit
4e4832dd72
@@ -84,7 +84,9 @@ static void readline_update(ReadLineState *rs)
|
||||
|
||||
static void readline_insert_char(ReadLineState *rs, int ch)
|
||||
{
|
||||
if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {
|
||||
assert(rs->cmd_buf_index <= rs->cmd_buf_size);
|
||||
|
||||
if (rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {
|
||||
memmove(rs->cmd_buf + rs->cmd_buf_index + 1,
|
||||
rs->cmd_buf + rs->cmd_buf_index,
|
||||
rs->cmd_buf_size - rs->cmd_buf_index);
|
||||
|
||||
Reference in New Issue
Block a user