From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simon Rowe Subject: Re: Xen security advisory CVE-2011-1583 - pv kernel image validation Date: Mon, 9 May 2011 16:05:41 +0100 Message-ID: <201105091605.41396.simon.rowe@eu.citrix.com> References: <19911.62834.915847.524478@mariner.uk.xensource.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Boundary-00=_FLAyNtozLK067e2" Return-path: In-Reply-To: <19911.62834.915847.524478@mariner.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org --Boundary-00=_FLAyNtozLK067e2 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Attached are patches for Xen 3.2 & 3.3 as shipped with XenServer 5.0 & 5.5, Simon --Boundary-00=_FLAyNtozLK067e2 Content-Type: text/x-patch; charset="UTF-8"; name="cve-2011-1583-3.2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="cve-2011-1583-3.2.patch" # HG changeset patch # Parent 11931301845c3b4b6a358f2d7246874b1d10c05f diff -r 11931301845c tools/libxc/xc_dom_bzimageloader.c --- a/tools/libxc/xc_dom_bzimageloader.c Mon Mar 14 16:59:49 2011 +0000 +++ b/tools/libxc/xc_dom_bzimageloader.c Tue May 03 10:09:28 2011 +0100 @@ -61,18 +61,18 @@ extern struct xc_dom_loader elf_loader; -static unsigned int payload_offset(struct setup_header *hdr) +static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len) { - unsigned int off; + if (len > dom->kernel_size) + return 0; - off = (hdr->setup_sects + 1) * 512; - off += hdr->payload_offset; - return off; + return (memcmp(dom->kernel_blob, magic, len) == 0); } static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose) { struct setup_header *hdr; + uint64_t payload_offset, payload_length; if ( dom->kernel_blob == NULL ) { @@ -107,14 +107,43 @@ return -EINVAL; } - dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); - dom->kernel_size = hdr->payload_length; - if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 ) + /* upcast to 64 bits to avoid overflow */ + /* setup_sects is u8 and so cannot overflow */ + payload_offset = (hdr->setup_sects + 1) * 512; + payload_offset += hdr->payload_offset; + payload_length = hdr->payload_length; + + if ( payload_offset >= dom->kernel_size ) { - if ( verbose ) - xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n", - __FUNCTION__); + xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow", + __FUNCTION__); + return -EINVAL; + } + if ( (payload_offset + payload_length) > dom->kernel_size ) + { + xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow", + __FUNCTION__); + return -EINVAL; + } + + dom->kernel_blob = dom->kernel_blob + payload_offset; + dom->kernel_size = payload_length; + + if ( check_magic(dom, "\037\213", 2) ) + { + if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 ) + { + if ( verbose ) + xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n", + __FUNCTION__); + return -EINVAL; + } + } + else + { + xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n", + __FUNCTION__); return -EINVAL; } --Boundary-00=_FLAyNtozLK067e2 Content-Type: text/x-patch; charset="UTF-8"; name="cve-2011-1583-3.3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="cve-2011-1583-3.3.patch" # HG changeset patch # Parent 11931301845c3b4b6a358f2d7246874b1d10c05f diff -r 11931301845c tools/libxc/xc_dom_bzimageloader.c --- a/tools/libxc/xc_dom_bzimageloader.c Mon Mar 14 16:59:49 2011 +0000 +++ b/tools/libxc/xc_dom_bzimageloader.c Tue May 03 10:09:28 2011 +0100 @@ -61,18 +61,18 @@ extern struct xc_dom_loader elf_loader; -static unsigned int payload_offset(struct setup_header *hdr) +static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len) { - unsigned int off; + if (len > dom->kernel_size) + return 0; - off = (hdr->setup_sects + 1) * 512; - off += hdr->payload_offset; - return off; + return (memcmp(dom->kernel_blob, magic, len) == 0); } static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose) { struct setup_header *hdr; + uint64_t payload_offset, payload_length; if ( dom->kernel_blob == NULL ) { @@ -107,14 +107,43 @@ return -EINVAL; } - dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); - dom->kernel_size = hdr->payload_length; - if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 ) + /* upcast to 64 bits to avoid overflow */ + /* setup_sects is u8 and so cannot overflow */ + payload_offset = (hdr->setup_sects + 1) * 512; + payload_offset += hdr->payload_offset; + payload_length = hdr->payload_length; + + if ( payload_offset >= dom->kernel_size ) { - if ( verbose ) - xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n", - __FUNCTION__); + xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow", + __FUNCTION__); + return -EINVAL; + } + if ( (payload_offset + payload_length) > dom->kernel_size ) + { + xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow", + __FUNCTION__); + return -EINVAL; + } + + dom->kernel_blob = dom->kernel_blob + payload_offset; + dom->kernel_size = payload_length; + + if ( check_magic(dom, "\037\213", 2) ) + { + if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 ) + { + if ( verbose ) + xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n", + __FUNCTION__); + return -EINVAL; + } + } + else + { + xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n", + __FUNCTION__); return -EINVAL; } --Boundary-00=_FLAyNtozLK067e2 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --Boundary-00=_FLAyNtozLK067e2--