From nobody Sat Nov 23 15:39:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1725295147; cv=none; d=zohomail.com; s=zohoarc; b=jD2IAU5HHd+iq/RR6HXlDP2EbWDV8l/AcD7pz/8rQe1Ff8pkby0E4TlRUcWRURormgt0Kfr3IUxlwyjUQpdeFV6b/l3BsUcHDbwYRW5NovIfiTpVcO+/S6b9HjJyj/gXRS1u9GzFuwPRVghUpR3cBpJ+eSkk0u+x6rvUa4sRdW0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1725295147; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=/6eT7Yk/7LIs6hDfcYQ7HO3X7+DA9vMIsVz9MMYObK8=; b=LuWHKFSYH2zMfjc1LITH1gbozW270vOPv/qej0FksyAibGHtc8tnEYYPu5NhHG2NUzWIfyyXqyiLMxJToO7M9v7GQdSyFPsvO7N+BJbg2gvA9lj2bTDJoC/TvEFELH2w6AlYA3309tgQ/iSjQk82A8So1N74aTG7BF1lxIKj/rY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1725295147711371.01169101258506; Mon, 2 Sep 2024 09:39:07 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.788265.1197750 (Exim 4.92) (envelope-from ) id 1slA4p-0002ZW-By; Mon, 02 Sep 2024 16:38:51 +0000 Received: by outflank-mailman (output) from mailman id 788265.1197750; Mon, 02 Sep 2024 16:38:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1slA4p-0002ZP-9O; Mon, 02 Sep 2024 16:38:51 +0000 Received: by outflank-mailman (input) for mailman id 788265; Mon, 02 Sep 2024 16:38:50 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1slA4o-0002KR-3F for xen-devel@lists.xenproject.org; Mon, 02 Sep 2024 16:38:50 +0000 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [2a00:1450:4864:20::532]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id d40e8d87-6949-11ef-a0b2-8be0dac302b0; Mon, 02 Sep 2024 18:38:48 +0200 (CEST) Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-5c25554ec1eso1441889a12.1 for ; Mon, 02 Sep 2024 09:38:48 -0700 (PDT) Received: from localhost.localdomain ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c226c74184sm5714163a12.32.2024.09.02.09.38.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Sep 2024 09:38:47 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: d40e8d87-6949-11ef-a0b2-8be0dac302b0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1725295128; x=1725899928; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/6eT7Yk/7LIs6hDfcYQ7HO3X7+DA9vMIsVz9MMYObK8=; b=BnMi8YCwoctfg1FX4UparMgPtORzPut6xhd1mSVbOhAGL378JAAImRl82zZcgaiH4Z 7H4Ncmkdvdj7E2T/zQJBkSVF5ztLQURemCuDs+APMCdaWCrBEXoSwrM1Q+9QS83LePe8 xQQOwQFOtXTJoDZi7ZYRsUOHPnteVkNbUFIqc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725295128; x=1725899928; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/6eT7Yk/7LIs6hDfcYQ7HO3X7+DA9vMIsVz9MMYObK8=; b=i2i3enuLonWR2VlssHW3COzAx7unLjESBm1PdaZZzMwjb9xB4pOVRw6QsVrXA3Zn5M YXS3SXYMM4UiYFZA3Rjbd8hywyStYWAOAfNp0h4T/S3jeLzwo882yiGA3qnTlgR4qr+M GoGiY/edXn+OyNDsEzoyC8LOB4R1cEZGykY3uYj9SFqlrqUM2WaJLnjba4K06p/u+Xe5 c5TBMm4Eq3z8ELLyxpoE+Zljf4gR7JLLLTUdCEHdg4lj173fUwLR+pxiM1ERAc2CsNrx 2YoiFLHhHg1aFi7yxd+GcQXFDHfRoXyk4CvjmYJ4O6EBYOkgi1m0Ppa1YvV1Gll1N8jt l79g== X-Gm-Message-State: AOJu0Yyfnd9ELOSvk1WLgyBypNCxCDF6tgPeFe7/oGMe7E1SijYh4bQa YwpSNXumbanBT3jeU+TDtH/CPTOOBysvsg9h1WrgUmYsx/YKeyI448JQNH6EvSzTKjD5Gq/ONGP q9kg= X-Google-Smtp-Source: AGHT+IFicB+fQM5XiuO8ifLtLIo0YpKL2FO35R3K8EcmdRWCq5G9bU1kGIOqb3I9vrQp+m40W6rnKw== X-Received: by 2002:a05:6402:51d2:b0:5be:eb90:183c with SMTP id 4fb4d7f45d1cf-5c21ed314abmr11860340a12.6.1725295127549; Mon, 02 Sep 2024 09:38:47 -0700 (PDT) From: Javi Merino To: xen-devel@lists.xenproject.org Cc: Javi Merino , Anthony PERARD , Juergen Gross , =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= Subject: [XEN PATCH v3 1/3] libxl: Fix nul-termination of the return value of libxl_xen_console_read_line() Date: Mon, 2 Sep 2024 17:38:37 +0100 Message-ID: <37e935be214083f1b16b5da4d3be09e7cbafc971.1725294334.git.javi.merino@cloud.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1725295148342116600 When built with ASAN, "xl dmesg" crashes in the "printf("%s", line)" call in main_dmesg(). ASAN reports a heap buffer overflow: an off-by-one access to cr->buffer. The readconsole sysctl copies up to count characters into the buffer, but it does not add a null character at the end. Despite the documentation of libxl_xen_console_read_line(), line_r is not nul-terminated if 16384 characters were copied to the buffer. Fix this by asking xc_readconsolering() to fill the buffer up to size - 1. As the number of characters in the buffer is only needed in libxl_xen_console_read_line(), make it a local variable there instead of part of the libxl__xen_console_reader struct. Fixes: 4024bae739cc ("xl: Add subcommand 'xl dmesg'") Reported-by: Edwin T=C3=B6r=C3=B6k Reviewed-by: Anthony PERARD Signed-off-by: Javi Merino --- tools/libs/light/libxl_console.c | 19 +++++++++++++++---- tools/libs/light/libxl_internal.h | 1 - 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/tools/libs/light/libxl_console.c b/tools/libs/light/libxl_cons= ole.c index a563c9d3c7f9..9f736b891335 100644 --- a/tools/libs/light/libxl_console.c +++ b/tools/libs/light/libxl_console.c @@ -774,12 +774,17 @@ libxl_xen_console_reader * { GC_INIT(ctx); libxl_xen_console_reader *cr; - unsigned int size =3D 16384; + /* + * We want xen to fill the buffer in as few hypercalls as + * possible, but xen will not nul-terminate it. The default size + * of Xen's console buffer is 16384. Leave one byte at the end + * for the null character. + */ + unsigned int size =3D 16384 + 1; =20 cr =3D libxl__zalloc(NOGC, sizeof(libxl_xen_console_reader)); cr->buffer =3D libxl__zalloc(NOGC, size); cr->size =3D size; - cr->count =3D size; cr->clear =3D clear; cr->incremental =3D 1; =20 @@ -800,10 +805,16 @@ int libxl_xen_console_read_line(libxl_ctx *ctx, char **line_r) { int ret; + /* + * Number of chars to copy into the buffer. xc_readconsolering() + * does not add a null character at the end, so leave a space for + * us to add it. + */ + unsigned int nr_chars =3D cr->size - 1; GC_INIT(ctx); =20 memset(cr->buffer, 0, cr->size); - ret =3D xc_readconsolering(ctx->xch, cr->buffer, &cr->count, + ret =3D xc_readconsolering(ctx->xch, cr->buffer, &nr_chars, cr->clear, cr->incremental, &cr->index); if (ret < 0) { LOGE(ERROR, "reading console ring buffer"); @@ -811,7 +822,7 @@ int libxl_xen_console_read_line(libxl_ctx *ctx, return ERROR_FAIL; } if (!ret) { - if (cr->count) { + if (nr_chars) { *line_r =3D cr->buffer; ret =3D 1; } else { diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_int= ernal.h index 089a2f949c53..cfac8e18b6d3 100644 --- a/tools/libs/light/libxl_internal.h +++ b/tools/libs/light/libxl_internal.h @@ -2077,7 +2077,6 @@ _hidden char *libxl__uuid2string(libxl__gc *gc, const= libxl_uuid uuid); struct libxl__xen_console_reader { char *buffer; unsigned int size; - unsigned int count; unsigned int clear; unsigned int incremental; unsigned int index; --=20 2.45.2