From patchwork Wed Jan 6 20:03:21 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Boris Ostrovsky X-Patchwork-Id: 7970481 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id A5E80BEEED for ; Wed, 6 Jan 2016 20:06:06 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D884B20154 for ; Wed, 6 Jan 2016 20:06:05 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0ED7B2015E for ; Wed, 6 Jan 2016 20:06:05 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aGuIU-0005xt-UB; Wed, 06 Jan 2016 20:03:06 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aGuIS-0005xc-PH for xen-devel@lists.xen.org; Wed, 06 Jan 2016 20:03:04 +0000 Received: from [193.109.254.147] by server-7.bemta-14.messagelabs.com id F1/54-28221-8F27D865; Wed, 06 Jan 2016 20:03:04 +0000 X-Env-Sender: boris.ostrovsky@oracle.com X-Msg-Ref: server-5.tower-27.messagelabs.com!1452110582!15135041!1 X-Originating-IP: [141.146.126.69] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTQxLjE0Ni4xMjYuNjkgPT4gMjc3MjE4\n X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 55732 invoked from network); 6 Jan 2016 20:03:03 -0000 Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by server-5.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 6 Jan 2016 20:03:03 -0000 Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u06K2uZM013304 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 6 Jan 2016 20:02:56 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id u06K2tma007974 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 6 Jan 2016 20:02:55 GMT Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u06K2tQC023927; Wed, 6 Jan 2016 20:02:55 GMT Received: from ovs104.us.oracle.com (/10.149.76.204) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 06 Jan 2016 12:02:55 -0800 From: Boris Ostrovsky To: ian.jackson@eu.citrix.com, stefano.stabellini@eu.citrix.com, ian.campbell@citrix.com, wei.liu2@citrix.com Date: Wed, 6 Jan 2016 15:03:21 -0500 Message-Id: <1452110602-3570-2-git-send-email-boris.ostrovsky@oracle.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1452110602-3570-1-git-send-email-boris.ostrovsky@oracle.com> References: <1452110602-3570-1-git-send-email-boris.ostrovsky@oracle.com> X-Source-IP: userv0022.oracle.com [156.151.31.74] Cc: jgross@suse.com, andrew.cooper3@citrix.com, Boris Ostrovsky , roger.pau@citrix.com, xen-devel@lists.xen.org Subject: [Xen-devel] [PATCH v3 1/2] libxc: Don't write terminating NULL character to command string X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When copying boot command string for HVMlite guests we explicitly write '\0' at MAX_GUEST_CMDLINE offset. Unless the string is close to MAX_GUEST_CMDLINE in length this write will end up in the wrong place, beyond the end of the mapped range. We don't need to limit the size of command string to some arbitrary number. Any size that can be successfully allocated and mapped is valid and so the string is guaranteed to be NULL-terminated (since we use strlen, which needs terminating '\0', to calculate allocation size). Signed-off-by: Boris Ostrovsky Acked-by: Wei Liu --- tools/libxc/xc_dom_x86.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/tools/libxc/xc_dom_x86.c b/tools/libxc/xc_dom_x86.c index 3960875..b8d2904 100644 --- a/tools/libxc/xc_dom_x86.c +++ b/tools/libxc/xc_dom_x86.c @@ -676,8 +676,7 @@ static int alloc_magic_pages_hvm(struct xc_dom_image *dom) if ( dom->cmdline ) { - strncpy(cmdline, dom->cmdline, MAX_GUEST_CMDLINE); - cmdline[MAX_GUEST_CMDLINE - 1] = '\0'; + strncpy(cmdline, dom->cmdline, cmdline_size); start_info->cmdline_paddr = (seg.pfn << PAGE_SHIFT) + ((uintptr_t)cmdline - (uintptr_t)start_info); }