From: Ian Jackson <ian.jackson@eu.citrix.com>
To: xen-devel@lists.xensource.com
Cc: andrew.cooper3@citrix.com, mattjd@gmail.com,
Ian Jackson <ian.jackson@eu.citrix.com>,
security@xen.org
Subject: [PATCH 11/16] libelf: Check pointer references in elf_is_elfbinary
Date: Tue, 4 Jun 2013 18:59:58 +0100 [thread overview]
Message-ID: <1370368803-9436-12-git-send-email-ian.jackson@eu.citrix.com> (raw)
In-Reply-To: <1370368803-9436-1-git-send-email-ian.jackson@eu.citrix.com>
elf_is_elfbinary didn't take a length parameter and could potentially
access out of range when provided with a very short image.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
v2: Style fix.
Fix commit message subject.
---
tools/libxc/xc_dom_elfloader.c | 2 +-
xen/arch/x86/bzimage.c | 4 ++--
xen/common/libelf/libelf-loader.c | 2 +-
xen/common/libelf/libelf-tools.c | 9 ++++++---
xen/include/xen/libelf.h | 2 +-
5 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
index a28cfa3..177219f 100644
--- a/tools/libxc/xc_dom_elfloader.c
+++ b/tools/libxc/xc_dom_elfloader.c
@@ -93,7 +93,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose)
return -EINVAL;
}
- if ( !elf_is_elfbinary(dom->kernel_blob) )
+ if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) )
{
if ( verbose )
xc_dom_panic(dom->xch,
diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c
index c5519d8..58fda16 100644
--- a/xen/arch/x86/bzimage.c
+++ b/xen/arch/x86/bzimage.c
@@ -220,7 +220,7 @@ unsigned long __init bzimage_headroom(char *image_start,
image_length = hdr->payload_length;
}
- if ( elf_is_elfbinary(image_start) )
+ if ( elf_is_elfbinary(image_start, image_length) )
return 0;
orig_image_len = image_length;
@@ -251,7 +251,7 @@ int __init bzimage_parse(char *image_base, char **image_start, unsigned long *im
*image_len = hdr->payload_length;
}
- if ( elf_is_elfbinary(*image_start) )
+ if ( elf_is_elfbinary(*image_start, *image_len) )
return 0;
BUG_ON(!(image_base < *image_start));
diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
index 878552e..6c43c34 100644
--- a/xen/common/libelf/libelf-loader.c
+++ b/xen/common/libelf/libelf-loader.c
@@ -29,7 +29,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size)
ELF_HANDLE_DECL(elf_shdr) shdr;
uint64_t i, count, section, offset;
- if ( !elf_is_elfbinary(image_input) )
+ if ( !elf_is_elfbinary(image_input, size) )
{
elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__);
return -1;
diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
index 4e9ac21..1d5963a 100644
--- a/xen/common/libelf/libelf-tools.c
+++ b/xen/common/libelf/libelf-tools.c
@@ -329,11 +329,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(
/* ------------------------------------------------------------------------ */
-int elf_is_elfbinary(const void *image)
+int elf_is_elfbinary(const void *image_start, size_t image_size)
{
- const Elf32_Ehdr *ehdr = image;
+ const Elf32_Ehdr *ehdr = image_start;
- return IS_ELF(*ehdr); /* fixme unchecked */
+ if ( image_size < sizeof(*ehdr) )
+ return 0;
+
+ return IS_ELF(*ehdr);
}
int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
index 22aa4fc..5b71c7f 100644
--- a/xen/include/xen/libelf.h
+++ b/xen/include/xen/libelf.h
@@ -349,7 +349,7 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
unsigned int unitsz, unsigned int idx);
ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-int elf_is_elfbinary(const void *image);
+int elf_is_elfbinary(const void *image_start, size_t image_size);
int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
/* ------------------------------------------------------------------------ */
--
1.7.2.5
next prev parent reply other threads:[~2013-06-04 17:59 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-04 17:59 [PATCH 4 00/16] XSA55 libelf fixes for unstable Ian Jackson
2013-06-04 17:59 ` [PATCH 01/16] libelf: abolish libelf-relocate.c Ian Jackson
2013-06-04 17:59 ` [PATCH 02/16] libxc: introduce xc_dom_seg_to_ptr_pages Ian Jackson
2013-06-04 17:59 ` [PATCH 03/16] libelf: add `struct elf_binary*' parameter to elf_load_image Ian Jackson
2013-06-05 10:32 ` George Dunlap
2013-06-05 11:01 ` Andrew Cooper
2013-06-05 11:54 ` Ian Jackson
2013-06-04 17:59 ` [PATCH 04/16] libelf: abolish elf_sval and elf_access_signed Ian Jackson
2013-06-04 17:59 ` [PATCH 05/16] libelf: move include of <asm/guest_access.h> to top of file Ian Jackson
2013-06-04 17:59 ` [PATCH 06/16] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised Ian Jackson
2013-06-04 17:59 ` [PATCH 07/16] libelf: introduce macros for memory access and pointer handling Ian Jackson
2013-06-04 17:59 ` [PATCH 08/16] tools/xcutils/readnotes: adjust print_l1_mfn_valid_note Ian Jackson
2013-06-04 17:59 ` [PATCH 09/16] libelf: check nul-terminated strings properly Ian Jackson
2013-06-04 17:59 ` [PATCH 10/16] libelf: check all pointer accesses Ian Jackson
2013-06-06 11:19 ` George Dunlap
2013-06-06 14:51 ` Ian Jackson
2013-06-06 16:20 ` George Dunlap
2013-06-06 18:11 ` Ian Jackson
2013-06-06 12:25 ` Matthew Daley
2013-06-06 14:59 ` Ian Jackson
2013-06-07 3:44 ` Matthew Daley
2013-06-06 15:30 ` Ian Campbell
2013-06-07 4:03 ` Matthew Daley
2013-06-04 17:59 ` Ian Jackson [this message]
2013-06-04 17:59 ` [PATCH 12/16] libelf: Make all callers call elf_check_broken Ian Jackson
2013-06-05 14:51 ` Andrew Cooper
2013-06-05 15:31 ` Andrew Cooper
2013-06-06 14:08 ` George Dunlap
2013-06-06 18:41 ` Ian Jackson
2013-06-04 18:00 ` [PATCH 13/16] libelf: use C99 bool for booleans Ian Jackson
2013-06-06 14:28 ` George Dunlap
2013-06-06 14:46 ` Ian Jackson
2013-06-04 18:00 ` [PATCH 14/16] libelf: use only unsigned integers Ian Jackson
2013-06-06 16:07 ` George Dunlap
2013-06-06 18:14 ` Ian Jackson
2013-06-07 7:14 ` Jan Beulich
2013-06-07 14:35 ` Ian Jackson
2013-06-07 15:50 ` Jan Beulich
2013-06-04 18:00 ` [PATCH 15/16] libelf: check loops for running away Ian Jackson
2013-06-04 18:00 ` [PATCH 16/16] libelf: abolish obsolete macros Ian Jackson
2013-06-04 18:08 ` [PATCH 4 00/16] XSA55 libelf fixes for unstable Ian Jackson
2013-06-04 21:39 ` Andrew Cooper
2013-06-05 11:53 ` Ian Jackson
2013-06-06 14:04 ` Matthew Daley
2013-06-06 18:39 ` Ian Jackson
2013-06-07 3:35 ` Matthew Daley
-- strict thread matches above, loose matches on Subject: below --
2013-06-03 15:41 [PATCH v3.1 " Ian Jackson
2013-06-03 15:41 ` [PATCH 11/16] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1370368803-9436-12-git-send-email-ian.jackson@eu.citrix.com \
--to=ian.jackson@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=mattjd@gmail.com \
--cc=security@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).