On 29/11/2019 12:15, Jan Beulich wrote:
> On 29.11.2019 12:59, Ian Jackson wrote:
>> Jan Beulich writes ("[PATCH] console: avoid buffer overflow in
>> guest_console_write()"):
>>> The switch of guest_console_write()'s second parameter from plain to
>>> unsigned int has caused the function's main loop header to no longer
>>> guard the min_t() use within the function against effectively negative
>>> values, due to the casts hidden inside the macro. Replace by a plain
>>> min(), converting one of the arguments suitably without involving any
>>> cast.
>>>
>>> Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
>>> Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
>>> Signed-off-by: Jan Beulich <jbeul...@suse.com>
>> ea601ec9995b included this hunk:
>>
>> case CONSOLEIO_read:
>> + /*
>> + * The return value is either the number of characters read or
>> + * a negative value in case of error. So we need to prevent
>> + * overlap between the two sets.
>> + */
>> + rc = -E2BIG;
>> + if ( count > INT_MAX )
>> + break;
>>
>> Maybe it would be good to move that outside the switch so that it
>> affects CONSOLEIO_write too ?
> And any future subops? And limit output more than necessary (not
> that I think anyone will want to push more than 2G at a time
> through this interface, but anyway)?
Linux is seriously considering initrds > 4G now for various usecases.
2G really isn't enough for everyone, and we shouldn't hardcode blind
presumptions like this.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
