console: avoid buffer overrun in guest_console_write()

Message ID	909ca24b-e673-e786-06b4-c8877288248b@suse.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=4rCt=ZV=lists.xenproject.org=xen-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 76216208E4 To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org> From: Jan Beulich <jbeulich@suse.com> Message-ID: <909ca24b-e673-e786-06b4-c8877288248b@suse.com> Date: Fri, 29 Nov 2019 15:15:17 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 Content-Language: en-US Subject: [Xen-devel] [PATCH] console: avoid buffer overrun in guest_console_write() Precedence: list Cc: Juergen Gross <jgross@suse.com>, Stefano Stabellini <sstabellini@kernel.org>, Julien Grall <julien@xen.org>, Wei Liu <wl@xen.org>, Konrad Wilk <konrad.wilk@oracle.com>, George Dunlap <George.Dunlap@eu.citrix.com>, Andrew Cooper <andrew.cooper3@citrix.com>, Ian Jackson <ian.jackson@citrix.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Series	console: avoid buffer overrun in guest_console_write() \| expand console: avoid buffer overrun in guest_console_write()

Message ID

909ca24b-e673-e786-06b4-c8877288248b@suse.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 76216208E4
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
From: Jan Beulich <jbeulich@suse.com>
Message-ID: <909ca24b-e673-e786-06b4-c8877288248b@suse.com>
Date: Fri, 29 Nov 2019 15:15:17 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.1
MIME-Version: 1.0
Content-Language: en-US
Subject: [Xen-devel] [PATCH] console: avoid buffer overrun in
 guest_console_write()
Precedence: list
Cc: Juergen Gross <jgross@suse.com>,
 Stefano Stabellini <sstabellini@kernel.org>, Julien Grall <julien@xen.org>,
 Wei Liu <wl@xen.org>, Konrad Wilk <konrad.wilk@oracle.com>,
 George Dunlap <George.Dunlap@eu.citrix.com>,
 Andrew Cooper <andrew.cooper3@citrix.com>,
 Ian Jackson <ian.jackson@citrix.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

Series

console: avoid buffer overrun in guest_console_write() | expand

Commit Message

Jan Beulich Nov. 29, 2019, 2:15 p.m. UTC

conring_puts() has been requiring a nul-terminated string, which the
local kbuf[] doesn't get set for anymore. Add a length parameter to the
function, just like was done for others, thus allowing embedded nul to
also be read through XEN_SYSCTL_readconsole.

While there drop a stray cast: Both operands of - are already uint32_t.

Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
Reported-by: Jürgen Groß <jgross@suse.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

Comments

Jürgen Groß Nov. 29, 2019, 2:20 p.m. UTC | #1

On 29.11.19 15:15, Jan Beulich wrote:
> conring_puts() has been requiring a nul-terminated string, which the
> local kbuf[] doesn't get set for anymore. Add a length parameter to the
> function, just like was done for others, thus allowing embedded nul to
> also be read through XEN_SYSCTL_readconsole.
> 
> While there drop a stray cast: Both operands of - are already uint32_t.
> 
> Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
> Reported-by: Jürgen Groß <jgross@suse.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Juergen Gross <jgross@suse.com>
Release-acked-by: Juergen Gross <jgross@suse.com>


Juergen

Julien Grall Nov. 29, 2019, 2:23 p.m. UTC | #2

Hi,

On 29/11/2019 14:15, Jan Beulich wrote:
> conring_puts() has been requiring a nul-terminated string, which the
> local kbuf[] doesn't get set for anymore. Add a length parameter to the
> function, just like was done for others, thus allowing embedded nul to
> also be read through XEN_SYSCTL_readconsole.
> 
> While there drop a stray cast: Both operands of - are already uint32_t.
> 
> Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")

Sorry again :(.

> Reported-by: Jürgen Groß <jgross@suse.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Acked-by: Julien Grall <julien@xen.org>

Cheers,

--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -257,16 +257,14 @@  static void do_dec_thresh(unsigned char
  * ********************************************************
  */
 
-static void conring_puts(const char *str)
+static void conring_puts(const char *str, size_t len)
 {
-    char c;
-
     ASSERT(spin_is_locked(&console_lock));
 
-    while ( (c = *str++) != '\0' )
-        conring[CONRING_IDX_MASK(conringp++)] = c;
+    while ( len-- )
+        conring[CONRING_IDX_MASK(conringp++)] = *str++;
 
-    if ( (uint32_t)(conringp - conringc) > conring_size )
+    if ( conringp - conringc > conring_size )
         conringc = conringp - conring_size;
 }
 
@@ -562,7 +560,7 @@  static long guest_console_write(XEN_GUES
 
             if ( opt_console_to_ring )
             {
-                conring_puts(kbuf);
+                conring_puts(kbuf, kcount);
                 tasklet_schedule(&notify_dom0_con_ring_tasklet);
             }
 
@@ -687,7 +685,7 @@  static void __putstr(const char *str)
     }
 #endif
 
-    conring_puts(str);
+    conring_puts(str, len);
 
     if ( !console_locks_busted )
         tasklet_schedule(&notify_dom0_con_ring_tasklet);

console: avoid buffer overrun in guest_console_write()

Commit Message

Comments

Patch