[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()



On 29.11.2019 14:37, Jürgen Groß wrote:
> On 29.11.19 14:26, Jan Beulich wrote:
>> On 29.11.2019 13:37, Andrew Cooper wrote:
>>> On 29/11/2019 12:19, Jan Beulich wrote:
>>>> On 29.11.2019 13:15, Andrew Cooper wrote:
>>>>> On 29/11/2019 12:13, Jan Beulich wrote:
>>>>>> On 29.11.2019 13:01, Ian Jackson wrote:
>>>>>>> Jan Beulich writes ("Re: [PATCH] console: avoid buffer overflow in 
>>>>>>> guest_console_write()"):
>>>>>>>> On 29.11.2019 11:22, Andrew Cooper wrote:
>>>>>>>>> Is sizeof(array[0]) always 0, or is this just a GCC-ism ?  Godbolt
>>>>>>>>> suggests is 0 on all compiler we support.
>>>>>>>>>
>>>>>>>>> Either way, isn't the more common idiom + 0ul ?  Personally, I feel 
>>>>>>>>> that
>>>>>>>>> is clearer to follow.
>>>>>>>> I decided against + 0ul or alike because in principle size_t
>>>>>>>> and unsigned long are different types. In particular 32-bit
>>>>>>>> x86 gcc uses unsigned int for size_t, and hence min()'s
>>>>>>>> type safety check would cause the build to fail there. The
>>>>>>>> same risk obviously exists for any 32-bit arch (e.g. Arm32,
>>>>>>>> but I haven't checked what type it actually uses).
>>>>>>> I don't know what i wrong with
>>>>>>>     (size_t)0
>>>>>>> which is shorter, even !
>>>>>> True. Yet it contains a cast, no matter how risk-free it may be
>>>>>> in this case. With a cast, I could as well have written (yet
>>>>>> shorter) (size_t)count.
>>>>> Given that min() has a very strict typecheck, I think we should permit
>>>>> any use of an explicit cast in a single operand, because it *is* safer
>>>>> than switching to the min_t() route to make things compile.
>>>> Well, I can switch to (size_t)count if this is liked better
>>>> overall.
>>>
>>> Personally, I'd prefer this option most of all.
>>
>> Okay, I've switched to this, but while doing so I started wondering
>> why we'd then not use
>>
>>          kcount = min(count, (unsigned int)sizeof(kbuf) - 1);
>>
>> which is an (often slightly cheaper) 32-bit operation (and which
>> is what I had actually started from).
> 
> While modifying guest_console_write(), would you mind writing a '\0'
> to kbuf[kcount]? There is a "conring_puts(kbuf);" later in this
> function which would like a 0 terminated string as input.

That's not the right change for this problem, I think. Now that
we support embedded nul characters, a count should be passed
instead. Julien?

I also wouldn't want to merge this into this patch; I'm happy to
send a separate one.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.