[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
- To: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- From: Jürgen Groß <jgross@xxxxxxxx>
- Date: Fri, 29 Nov 2019 14:37:37 +0100
- Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, KonradWilk <konrad.wilk@xxxxxxxxxx>, Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>, GeorgeDunlap <George.Dunlap@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Fri, 29 Nov 2019 13:38:01 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 29.11.19 14:26, Jan Beulich wrote:
On 29.11.2019 13:37, Andrew Cooper wrote:
On 29/11/2019 12:19, Jan Beulich wrote:
On 29.11.2019 13:15, Andrew Cooper wrote:
On 29/11/2019 12:13, Jan Beulich wrote:
On 29.11.2019 13:01, Ian Jackson wrote:
Jan Beulich writes ("Re: [PATCH] console: avoid buffer overflow in
guest_console_write()"):
On 29.11.2019 11:22, Andrew Cooper wrote:
Is sizeof(array[0]) always 0, or is this just a GCC-ism ? Godbolt
suggests is 0 on all compiler we support.
Either way, isn't the more common idiom + 0ul ? Personally, I feel that
is clearer to follow.
I decided against + 0ul or alike because in principle size_t
and unsigned long are different types. In particular 32-bit
x86 gcc uses unsigned int for size_t, and hence min()'s
type safety check would cause the build to fail there. The
same risk obviously exists for any 32-bit arch (e.g. Arm32,
but I haven't checked what type it actually uses).
I don't know what i wrong with
(size_t)0
which is shorter, even !
True. Yet it contains a cast, no matter how risk-free it may be
in this case. With a cast, I could as well have written (yet
shorter) (size_t)count.
Given that min() has a very strict typecheck, I think we should permit
any use of an explicit cast in a single operand, because it *is* safer
than switching to the min_t() route to make things compile.
Well, I can switch to (size_t)count if this is liked better
overall.
Personally, I'd prefer this option most of all.
Okay, I've switched to this, but while doing so I started wondering
why we'd then not use
kcount = min(count, (unsigned int)sizeof(kbuf) - 1);
which is an (often slightly cheaper) 32-bit operation (and which
is what I had actually started from).
While modifying guest_console_write(), would you mind writing a '\0'
to kbuf[kcount]? There is a "conring_puts(kbuf);" later in this
function which would like a 0 terminated string as input.
Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
