From: Simon Rowe <simon.rowe@eu.citrix.com>
To: xen-devel@lists.xensource.com
Subject: Re: Xen security advisory CVE-2011-1583 - pv kernel image validation
Date: Mon, 9 May 2011 16:05:41 +0100 [thread overview]
Message-ID: <201105091605.41396.simon.rowe@eu.citrix.com> (raw)
In-Reply-To: <19911.62834.915847.524478@mariner.uk.xensource.com>
[-- Attachment #1: Type: text/plain, Size: 84 bytes --]
Attached are patches for Xen 3.2 & 3.3 as shipped with XenServer 5.0 & 5.5,
Simon
[-- Attachment #2: cve-2011-1583-3.2.patch --]
[-- Type: text/x-patch, Size: 2571 bytes --]
# HG changeset patch
# Parent 11931301845c3b4b6a358f2d7246874b1d10c05f
diff -r 11931301845c tools/libxc/xc_dom_bzimageloader.c
--- a/tools/libxc/xc_dom_bzimageloader.c Mon Mar 14 16:59:49 2011 +0000
+++ b/tools/libxc/xc_dom_bzimageloader.c Tue May 03 10:09:28 2011 +0100
@@ -61,18 +61,18 @@
extern struct xc_dom_loader elf_loader;
-static unsigned int payload_offset(struct setup_header *hdr)
+static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
{
- unsigned int off;
+ if (len > dom->kernel_size)
+ return 0;
- off = (hdr->setup_sects + 1) * 512;
- off += hdr->payload_offset;
- return off;
+ return (memcmp(dom->kernel_blob, magic, len) == 0);
}
static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
{
struct setup_header *hdr;
+ uint64_t payload_offset, payload_length;
if ( dom->kernel_blob == NULL )
{
@@ -107,14 +107,43 @@
return -EINVAL;
}
- dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
- dom->kernel_size = hdr->payload_length;
- if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+ /* upcast to 64 bits to avoid overflow */
+ /* setup_sects is u8 and so cannot overflow */
+ payload_offset = (hdr->setup_sects + 1) * 512;
+ payload_offset += hdr->payload_offset;
+ payload_length = hdr->payload_length;
+
+ if ( payload_offset >= dom->kernel_size )
{
- if ( verbose )
- xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
- __FUNCTION__);
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ if ( (payload_offset + payload_length) > dom->kernel_size )
+ {
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+
+ dom->kernel_blob = dom->kernel_blob + payload_offset;
+ dom->kernel_size = payload_length;
+
+ if ( check_magic(dom, "\037\213", 2) )
+ {
+ if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+ {
+ if ( verbose )
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ }
+ else
+ {
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
+ __FUNCTION__);
return -EINVAL;
}
[-- Attachment #3: cve-2011-1583-3.3.patch --]
[-- Type: text/x-patch, Size: 2571 bytes --]
# HG changeset patch
# Parent 11931301845c3b4b6a358f2d7246874b1d10c05f
diff -r 11931301845c tools/libxc/xc_dom_bzimageloader.c
--- a/tools/libxc/xc_dom_bzimageloader.c Mon Mar 14 16:59:49 2011 +0000
+++ b/tools/libxc/xc_dom_bzimageloader.c Tue May 03 10:09:28 2011 +0100
@@ -61,18 +61,18 @@
extern struct xc_dom_loader elf_loader;
-static unsigned int payload_offset(struct setup_header *hdr)
+static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
{
- unsigned int off;
+ if (len > dom->kernel_size)
+ return 0;
- off = (hdr->setup_sects + 1) * 512;
- off += hdr->payload_offset;
- return off;
+ return (memcmp(dom->kernel_blob, magic, len) == 0);
}
static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
{
struct setup_header *hdr;
+ uint64_t payload_offset, payload_length;
if ( dom->kernel_blob == NULL )
{
@@ -107,14 +107,43 @@
return -EINVAL;
}
- dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
- dom->kernel_size = hdr->payload_length;
- if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+ /* upcast to 64 bits to avoid overflow */
+ /* setup_sects is u8 and so cannot overflow */
+ payload_offset = (hdr->setup_sects + 1) * 512;
+ payload_offset += hdr->payload_offset;
+ payload_length = hdr->payload_length;
+
+ if ( payload_offset >= dom->kernel_size )
{
- if ( verbose )
- xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
- __FUNCTION__);
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ if ( (payload_offset + payload_length) > dom->kernel_size )
+ {
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+
+ dom->kernel_blob = dom->kernel_blob + payload_offset;
+ dom->kernel_size = payload_length;
+
+ if ( check_magic(dom, "\037\213", 2) )
+ {
+ if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+ {
+ if ( verbose )
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ }
+ else
+ {
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
+ __FUNCTION__);
return -EINVAL;
}
[-- Attachment #4: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
prev parent reply other threads:[~2011-05-09 15:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-09 14:08 Xen security advisory CVE-2011-1583 - pv kernel image validation Ian Jackson
2011-05-09 15:05 ` Simon Rowe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201105091605.41396.simon.rowe@eu.citrix.com \
--to=simon.rowe@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).