[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] console: avoid buffer overflow in guest_console_write()
commit aaf8839fdf8b9b1a93a3837b82f680adea1b297c Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Fri Nov 29 17:08:20 2019 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Fri Nov 29 17:08:20 2019 +0100 console: avoid buffer overflow in guest_console_write() The switch of guest_console_write()'s second parameter from plain to unsigned int has caused the function's main loop header to no longer guard the min_t() use within the function against effectively negative values, due to the casts hidden inside the macro. Replace by a plain min(), casting one of the arguments as necessary. Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface") Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Acked-by: Julien Grall <julien@xxxxxxx> --- xen/drivers/char/console.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index e133534be7..aa72bd1244 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -538,7 +538,7 @@ static long guest_console_write(XEN_GUEST_HANDLE_PARAM(char) buffer, __HYPERVISOR_console_io, "iih", CONSOLEIO_write, count, buffer); - kcount = min_t(int, count, sizeof(kbuf)-1); + kcount = min((size_t)count, sizeof(kbuf) - 1); if ( copy_from_guest(kbuf, buffer, kcount) ) return -EFAULT; -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |