When built with ASAN, "xl dmesg" crashes in the "printf("%s", line)"
call in main_dmesg(). ASAN reports a heap buffer overflow: an
off-by-one access to cr->buffer.
The readconsole sysctl copies up to count characters into the buffer,
but it does not add a null character at the end. Despite the
documentation of libxl_xen_console_read_line(), line_r is not
nul-terminated if 16384 characters were copied to the buffer.
Fix this by making count one less that the size of the allocated
buffer so that the last byte is always null.
Reported-by: Edwin Török <edwin.to...@cloud.com>
Signed-off-by: Javi Merino <javi.mer...@cloud.com>
---
tools/libs/light/libxl_console.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/libs/light/libxl_console.c b/tools/libs/light/libxl_console.c
index a563c9d3c7f9..fa28e2139453 100644
--- a/tools/libs/light/libxl_console.c
+++ b/tools/libs/light/libxl_console.c
@@ -779,7 +779,7 @@ libxl_xen_console_reader *
cr = libxl__zalloc(NOGC, sizeof(libxl_xen_console_reader));
cr->buffer = libxl__zalloc(NOGC, size);
cr->size = size;
- cr->count = size;
+ cr->count = size - 1;
cr->clear = clear;
cr->incremental = 1;
--
2.44.0
