[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()



Jan Beulich writes ("[PATCH] console: avoid buffer overflow in 
guest_console_write()"):
> The switch of guest_console_write()'s second parameter from plain to
> unsigned int has caused the function's main loop header to no longer
> guard the min_t() use within the function against effectively negative
> values, due to the casts hidden inside the macro. Replace by a plain
> min(), converting one of the arguments suitably without involving any
> cast.
> 
> Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
> Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

ea601ec9995b included this hunk:

       case CONSOLEIO_read:
  +        /*
  +         * The return value is either the number of characters read or
  +         * a negative value in case of error. So we need to prevent
  +         * overlap between the two sets.
  +         */
  +        rc = -E2BIG;
  +        if ( count > INT_MAX )
  +            break;

Maybe it would be good to move that outside the switch so that it
affects CONSOLEIO_write too ?

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.