[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()

To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Fri, 29 Nov 2019 10:39:54 +0000
Cc: Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>
Delivery-date: Fri, 29 Nov 2019 10:39:58 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

On 29/11/2019 10:13, Jan Beulich wrote:

The switch of guest_console_write()'s second parameter from plain to
unsigned int has caused the function's main loop header to no longer
guard the min_t() use within the function against effectively negative
values, due to the casts hidden inside the macro. Replace by a plain
min(), converting one of the arguments suitably without involving any
cast.

Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>


Sorry for the breakage.

Acked-by: Julien Grall <julien@xxxxxxx>

Cheers,


--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -538,7 +538,7 @@ static long guest_console_write(XEN_GUES
                  __HYPERVISOR_console_io, "iih",
                  CONSOLEIO_write, count, buffer);

- kcount = min_t(int, count, sizeof(kbuf)-1);

+        kcount = min(count + sizeof(char[0]), sizeof(kbuf) - 1);
          if ( copy_from_guest(kbuf, buffer, kcount) )
              return -EFAULT;


--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH-for-4.13 v5] Rationalize max_grant_frames and max_maptrack_frames handling
Next by Date: Re: [Xen-devel] bug suspcion and proposed modification when xen-pciback failed to map an irq (-19) to a domU
Previous by thread: Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
Next by thread: Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.