From: Jan Beulich <jbeulich@suse.com>
Date: Fri, 29 Nov 2019 16:08:20 +0000 (+0100)
Subject: console: avoid buffer overflow in guest_console_write()
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=aaf8839fdf8b9b1a93a3837b82f680adea1b297c;p=people%2Fsstabellini%2Fxen-unstable.git%2F.git

console: avoid buffer overflow in guest_console_write()

The switch of guest_console_write()'s second parameter from plain to
unsigned int has caused the function's main loop header to no longer
guard the min_t() use within the function against effectively negative
values, due to the casts hidden inside the macro. Replace by a plain
min(), casting one of the arguments as necessary.

Fixes: ea601ec9995b ("xen/console: Rework HYPERCALL_console_io interface")
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Julien Grall <julien@xen.org>
---

diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c
index e133534be7..aa72bd1244 100644
--- a/xen/drivers/char/console.c
+++ b/xen/drivers/char/console.c
@@ -538,7 +538,7 @@ static long guest_console_write(XEN_GUEST_HANDLE_PARAM(char) buffer,
                 __HYPERVISOR_console_io, "iih",
                 CONSOLEIO_write, count, buffer);
 
-        kcount = min_t(int, count, sizeof(kbuf)-1);
+        kcount = min((size_t)count, sizeof(kbuf) - 1);
         if ( copy_from_guest(kbuf, buffer, kcount) )
             return -EFAULT;