On 29.11.2019 12:59, Ian Jackson wrote: > Jan Beulich writes ("[PATCH] console: avoid buffer overflow in > guest_console_write()"): >> The switch of guest_console_write()'s second parameter from plain to >> unsigned int has caused the function's main loop header to no longer >> guard the min_t() use within the function against effectively negative >> values, due to the casts hidden inside the macro. Replace by a plain >> min(), converting one of the arguments suitably without involving any >> cast. >> >> Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface") >> Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> >> Signed-off-by: Jan Beulich <jbeul...@suse.com> > > ea601ec9995b included this hunk: > > case CONSOLEIO_read: > + /* > + * The return value is either the number of characters read or > + * a negative value in case of error. So we need to prevent > + * overlap between the two sets. > + */ > + rc = -E2BIG; > + if ( count > INT_MAX ) > + break; > > Maybe it would be good to move that outside the switch so that it > affects CONSOLEIO_write too ?
And any future subops? And limit output more than necessary (not that I think anyone will want to push more than 2G at a time through this interface, but anyway)? Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel