[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] console: avoid buffer overflow in guest_console_write()
Jan Beulich writes ("[PATCH] console: avoid buffer overflow in guest_console_write()"): > The switch of guest_console_write()'s second parameter from plain to > unsigned int has caused the function's main loop header to no longer > guard the min_t() use within the function against effectively negative > values, due to the casts hidden inside the macro. Replace by a plain > min(), converting one of the arguments suitably without involving any > cast. > > Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface") > Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> ea601ec9995b included this hunk: case CONSOLEIO_read: + /* + * The return value is either the number of characters read or + * a negative value in case of error. So we need to prevent + * overlap between the two sets. + */ + rc = -E2BIG; + if ( count > INT_MAX ) + break; Maybe it would be good to move that outside the switch so that it affects CONSOLEIO_write too ? Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |