From b1e335a07e045a200b414ad31aca13478a75121b Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 12 Nov 2023 23:54:46 -0500 Subject: [PATCH] Avoid writing junk into Xenstore The path buffer pointer would be overwritten, but the length would not be. xs_write() would therefore read out of bounds. This is not a security problem as the not-script process has no secrets in its address space, and besides it is not exposed to untrusted input. Not tested beyond "it builds", but should be quite obvious. Fixes: QubesOS/qubes-issues#8708 --- not-script/not-script.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/not-script/not-script.c b/not-script/not-script.c index 3b2f599d..a7e32060 100644 --- a/not-script/not-script.c +++ b/not-script/not-script.c @@ -487,8 +487,9 @@ int main(int argc, char **argv) char buf[sizeof("/dev/loop") + 10]; char *physdev_path = data; if (major(dev) == LOOP_MAJOR) { - if ((unsigned)snprintf(buf, sizeof buf, "/dev/loop%" PRIu32, - (unsigned)minor(dev)) >= sizeof buf) + path_len = (unsigned)snprintf(buf, sizeof buf, "/dev/loop%" PRIu32, + (unsigned)minor(dev)); + if (path_len >= sizeof buf) abort(); physdev_path = buf; }