[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()

To: Ian Jackson <ian.jackson@xxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 29 Nov 2019 13:15:31 +0100
Cc: Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, AndrewCooper <Andrew.Cooper3@xxxxxxxxxx>, Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 29 Nov 2019 12:15:30 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 29.11.2019 12:59, Ian Jackson wrote:
> Jan Beulich writes ("[PATCH] console: avoid buffer overflow in 
> guest_console_write()"):
>> The switch of guest_console_write()'s second parameter from plain to
>> unsigned int has caused the function's main loop header to no longer
>> guard the min_t() use within the function against effectively negative
>> values, due to the casts hidden inside the macro. Replace by a plain
>> min(), converting one of the arguments suitably without involving any
>> cast.
>>
>> Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
>> Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> ea601ec9995b included this hunk:
> 
>        case CONSOLEIO_read:
>   +        /*
>   +         * The return value is either the number of characters read or
>   +         * a negative value in case of error. So we need to prevent
>   +         * overlap between the two sets.
>   +         */
>   +        rc = -E2BIG;
>   +        if ( count > INT_MAX )
>   +            break;
> 
> Maybe it would be good to move that outside the switch so that it
> affects CONSOLEIO_write too ?

And any future subops? And limit output more than necessary (not
that I think anyone will want to push more than 2G at a time
through this interface, but anyway)?

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
Next by Date: Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
Previous by thread: Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
Next by thread: Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.