Heap-buffer-overflow in synth_name_to_path
Hello,
Reproducer
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device \
virtio-9p,fsdev=hshare,mount_tag=hshare -fsdev synth,id=hshare -qtest \
stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xc000
outl 0xcf8 0x80000820
outl 0xcfc 0xe0004000
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outw 0xc008 0xc200
write 0xc200802 0x1 0x04
write 0xc200804 0x1 0x06
write 0xc200060 0x1 0x15
write 0xc200063 0x1 0x01
write 0xc20006a 0x1 0x01
write 0xc20006c 0x1 0x01
write 0x1000019 0x1 0x7e
write 0x100001e 0x1 0x8a
write 0x100001f 0x1 0xff
write 0x1000037 0x1 0xff
write 0x1000038 0x1 0xff
write 0x1000039 0x1 0xff
write 0x100003a 0x1 0xff
write 0x100004b 0x1 0xff
write 0x100004c 0x1 0x06
write 0x100074e 0x1 0x7e
write 0x100074f 0x1 0x3b
write 0x10042ce 0x1 0x06
write 0x10042d6 0x1 0x3f
write 0x10042d7 0x1 0x2f
write 0x1007217 0x1 0xff
write 0x1007218 0x1 0xff
write 0x1007219 0x1 0xff
write 0x100721a 0x1 0xff
write 0x100721b 0x1 0xff
write 0x100721c 0x1 0xff
write 0x100721d 0x1 0xff
write 0x100721e 0x1 0xff
write 0xc200150 0x1 0x15
write 0xc200153 0x1 0x03
write 0xc20015a 0x1 0x01
write 0xc20015c 0x1 0x01
write 0x3000019 0x1 0x68
write 0x300001e 0x1 0x8a
write 0x300001f 0x1 0xff
write 0xc200009 0x1 0x01
write 0xc20000c 0x1 0x02
write 0xc200806 0x1 0x06
write 0xc200808 0x1 0x15
write 0xc20080a 0x1 0x06
write 0xe0007003 0x1 0x00
outw 0xc008 0x0
EOFOutput
==36746==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000b3770 at pc 0xaaaab4c8b738 bp 0xffff685ffbd0 sp 0xffff685ffbc8
READ of size 8 at 0x5020000b3770 thread T3
#0 0xaaaab4c8b734 in synth_name_to_path /home/alxndr/Development/qemu/build/../hw/9pfs/9p-synth.c:504:20
#1 0xaaaab4cd9460 in v9fs_co_name_to_path /home/alxndr/Development/qemu/build/../hw/9pfs/cofs.c:404:9
#2 0xaaaab4cbca4c in v9fs_complete_rename /home/alxndr/Development/qemu/build/../hw/9pfs/9p.c:3320:15
#3 0xaaaab4cb530c in v9fs_wstat /home/alxndr/Development/qemu/build/../hw/9pfs/9p.c:3608:15
#4 0xaaaab69ba09c in coroutine_trampoline /home/alxndr/Development/qemu/build/../util/coroutine-ucontext.c:175:9
#5 0xffff8e54cbc4 in __startcontext stdlib/../sysdeps/unix/sysv/linux/aarch64/setcontext.S:187
0x5020000b3773 is located 0 bytes after 3-byte region [0x5020000b3770,0x5020000b3773)
allocated by thread T0 here:
#0 0xaaaab4ae06a4 in malloc (/home/alxndr/Development/qemu/build/qemu-system-i386+0x1f606a4) (BuildId: 468340917518d1ae221558b417197e6f6457cdd1)
#1 0xffff8e589f24 in __vasprintf_internal libio/vasprintf.c:116:17
#2 0xffff8e60b050 in __vasprintf_chk debug/vasprintf_chk.c:36:10
#3 0xffff8eadb240 in g_vasprintf (/lib/aarch64-linux-gnu/libglib-2.0.so.0+0xbb240) (BuildId: c9da78597c6a0ebe7e725c7af12ab8c0b9da4b5b)
#4 0xaaaab4c90344 in v9fs_path_sprintf /home/alxndr/Development/qemu/build/../hw/9pfs/9p.c:214:18
#5 0xaaaab4cbc9d0 in v9fs_complete_rename /home/alxndr/Development/qemu/build/../hw/9pfs/9p.c:3317:9
#6 0xaaaab4cb530c in v9fs_wstat /home/alxndr/Development/qemu/build/../hw/9pfs/9p.c:3608:15
#7 0xaaaab69ba09c in coroutine_trampoline /home/alxndr/Development/qemu/build/../util/coroutine-ucontext.c:175:9
#8 0xffff8e54cbc4 in __startcontext stdlib/../sysdeps/unix/sysv/linux/aarch64/setcontext.S:187
Thread T3 created by T0 here:
#0 0xaaaab4ac5400 in pthread_create (/home/alxndr/Development/qemu/build/qemu-system-i386+0x1f45400) (BuildId: 468340917518d1ae221558b417197e6f6457cdd1)
#1 0xaaaab695f42c in qemu_thread_create /home/alxndr/Development/qemu/build/../util/qemu-thread-posix.c:433:11
#2 0xaaaab69bfe30 in do_spawn_thread /home/alxndr/Development/qemu/build/../util/thread-pool.c:146:5
#3 0xaaaab69bfc8c in spawn_thread_bh_fn /home/alxndr/Development/qemu/build/../util/thread-pool.c:154:5
#4 0xaaaab69aaeb8 in aio_bh_call /home/alxndr/Development/qemu/build/../util/async.c:172:5
#5 0xaaaab69ab4a0 in aio_bh_poll /home/alxndr/Development/qemu/build/../util/async.c:219:13
#6 0xaaaab694dc28 in aio_poll /home/alxndr/Development/qemu/build/../util/aio-posix.c:746:17
#7 0xaaaab4c99ba8 in v9fs_reset /home/alxndr/Development/qemu/build/../hw/9pfs/9p.c:4425:9
#8 0xaaaab632a568 in virtio_reset /home/alxndr/Development/qemu/build/../hw/virtio/virtio.c:3240:9This is https://issues.oss-fuzz.com/u/1/issues/477990727
Thank you