This issue was discovered before it made it into any released version of Xen.

Therefore, no XSA or CVE was issued.

A bugfix in Xen 4.13 altered CONSOLEIO_write to tolerate passing NUL characters intact, as this is a requirement for various TTY setups.

A signed-ness issue with the length calculation lead to a case where Xen will copy between 2 and 4G of guest provided data into a 128 byte object on the stack.

See also: tests/xsa-consoleio-write/main.c