console: avoid buffer overflow in guest_console_write()

The switch of guest_console_write()'s second parameter from plain to
unsigned int has caused the function's main loop header to no longer
guard the min_t() use within the function against effectively negative
values, due to the casts hidden inside the macro. Replace by a plain
min(), casting one of the arguments as necessary.

Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Julien Grall <julien@xen.org>
Release-acked-by: Juergen Gross <jgross@suse.com>
master commit: aaf8839fdf8b9b1a93a3837b82f680adea1b297c
master date: 2019-11-29 17:08:20 +0100

diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c
index e133534be7e63cb67b8245d45ca30b58617474ee..aa72bd124433c40b0a3e450775f3732180784a67 100644 (file)
--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -538,7 +538,7 @@ static long guest_console_write(XEN_GUEST_HANDLE_PARAM(char) buffer,
                 __HYPERVISOR_console_io, "iih",
                 CONSOLEIO_write, count, buffer);
 
-        kcount = min_t(int, count, sizeof(kbuf)-1);
+        kcount = min((size_t)count, sizeof(kbuf) - 1);
         if ( copy_from_guest(kbuf, buffer, kcount) )
             return -EFAULT;