From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
"mattjd@gmail.com" <mattjd@gmail.com>,
"security@xen.org" <security@xen.org>
Subject: Re: [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary
Date: Tue, 11 Jun 2013 00:04:45 +0100 [thread overview]
Message-ID: <51B65B8D.9070009@citrix.com> (raw)
In-Reply-To: <1370629642-6990-13-git-send-email-ian.jackson@eu.citrix.com>
On 07/06/13 19:27, Ian Jackson wrote:
> elf_is_elfbinary didn't take a length parameter and could potentially
> access out of range when provided with a very short image.
>
> This is part of the fix to a security issue, XSA-55.
>
> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
> Acked-by: Ian Campbell <ian.campbell@citrix.com>
> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>
> v2: Style fix.
> Fix commit message subject.
> ---
> tools/libxc/xc_dom_elfloader.c | 2 +-
> xen/arch/x86/bzimage.c | 4 ++--
> xen/common/libelf/libelf-loader.c | 2 +-
> xen/common/libelf/libelf-tools.c | 9 ++++++---
> xen/include/xen/libelf.h | 2 +-
> 5 files changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
> index c038d1c..f14b053 100644
> --- a/tools/libxc/xc_dom_elfloader.c
> +++ b/tools/libxc/xc_dom_elfloader.c
> @@ -93,7 +93,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose)
> return -EINVAL;
> }
>
> - if ( !elf_is_elfbinary(dom->kernel_blob) )
> + if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) )
> {
> if ( verbose )
> xc_dom_panic(dom->xch,
> diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c
> index c5519d8..58fda16 100644
> --- a/xen/arch/x86/bzimage.c
> +++ b/xen/arch/x86/bzimage.c
> @@ -220,7 +220,7 @@ unsigned long __init bzimage_headroom(char *image_start,
> image_length = hdr->payload_length;
> }
>
> - if ( elf_is_elfbinary(image_start) )
> + if ( elf_is_elfbinary(image_start, image_length) )
> return 0;
>
> orig_image_len = image_length;
> @@ -251,7 +251,7 @@ int __init bzimage_parse(char *image_base, char **image_start, unsigned long *im
> *image_len = hdr->payload_length;
> }
>
> - if ( elf_is_elfbinary(*image_start) )
> + if ( elf_is_elfbinary(*image_start, *image_len) )
> return 0;
>
> BUG_ON(!(image_base < *image_start));
> diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
> index 878552e..6c43c34 100644
> --- a/xen/common/libelf/libelf-loader.c
> +++ b/xen/common/libelf/libelf-loader.c
> @@ -29,7 +29,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size)
> ELF_HANDLE_DECL(elf_shdr) shdr;
> uint64_t i, count, section, offset;
>
> - if ( !elf_is_elfbinary(image_input) )
> + if ( !elf_is_elfbinary(image_input, size) )
> {
> elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__);
> return -1;
> diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
> index 08ab027..b613593 100644
> --- a/xen/common/libelf/libelf-tools.c
> +++ b/xen/common/libelf/libelf-tools.c
> @@ -332,11 +332,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(
>
> /* ------------------------------------------------------------------------ */
>
> -int elf_is_elfbinary(const void *image)
> +int elf_is_elfbinary(const void *image_start, size_t image_size)
> {
> - const Elf32_Ehdr *ehdr = image;
> + const Elf32_Ehdr *ehdr = image_start;
>
> - return IS_ELF(*ehdr); /* fixme unchecked */
> + if ( image_size < sizeof(*ehdr) )
> + return 0;
> +
> + return IS_ELF(*ehdr);
> }
sizeof(Elf32_Ehdr) == 52
sizeof(Elf64_Ehdr) == 64
As stated by a trivial C program containing 'printf("32: %zu, 64:
%zu\n", sizeof(Elf32_Ehdr), sizeof(Elf64_Ehdr));'
Therefore, the sizeof check is insufficient if given a 64bit elf.
It needs to check first against sizeof e_ident which is consistent
between the two, look up EI_CLASS in the ident, then choose the
appropriate structure.
~Andrew
>
> int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
> diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
> index 783f125..c54c90b 100644
> --- a/xen/include/xen/libelf.h
> +++ b/xen/include/xen/libelf.h
> @@ -349,7 +349,7 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
> unsigned int unitsz, unsigned int idx);
> ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
>
> -int elf_is_elfbinary(const void *image);
> +int elf_is_elfbinary(const void *image_start, size_t image_size);
> int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
>
> /* ------------------------------------------------------------------------ */
next prev parent reply other threads:[~2013-06-10 23:04 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-07 18:27 [PATCH v6 00/22] XSA55 libelf fixes for unstable Ian Jackson
2013-06-07 18:27 ` [PATCH 01/22] libelf: abolish libelf-relocate.c Ian Jackson
2013-06-07 18:27 ` [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages Ian Jackson
2013-06-10 12:21 ` Andrew Cooper
2013-06-10 13:40 ` Ian Jackson
2013-06-10 13:49 ` Andrew Cooper
2013-06-10 14:02 ` Ian Jackson
2013-06-10 15:24 ` Andrew Cooper
2013-06-07 18:27 ` [PATCH 03/22] libxc: Fix range checking in xc_dom_pfn_to_ptr etc Ian Jackson
2013-06-10 15:46 ` Andrew Cooper
2013-06-10 15:48 ` Ian Jackson
2013-06-10 15:53 ` Andrew Cooper
2013-06-10 15:54 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 04/22] libelf: add `struct elf_binary*' parameter to elf_load_image Ian Jackson
2013-06-07 18:27 ` [PATCH 05/22] libelf: abolish elf_sval and elf_access_signed Ian Jackson
2013-06-07 18:27 ` [PATCH 06/22] libelf: move include of <asm/guest_access.h> to top of file Ian Jackson
2013-06-07 18:27 ` [PATCH 07/22] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised Ian Jackson
2013-06-07 18:27 ` [PATCH 08/22] libelf: introduce macros for memory access and pointer handling Ian Jackson
2013-06-10 16:57 ` Andrew Cooper
2013-06-10 16:58 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 09/22] tools/xcutils/readnotes: adjust print_l1_mfn_valid_note Ian Jackson
2013-06-07 18:27 ` [PATCH 10/22] libelf: check nul-terminated strings properly Ian Jackson
2013-06-10 23:17 ` Andrew Cooper
2013-06-11 15:17 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 11/22] libelf: check all pointer accesses Ian Jackson
2013-06-10 23:38 ` Andrew Cooper
2013-06-11 15:28 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
2013-06-10 23:04 ` Andrew Cooper [this message]
2013-06-11 15:11 ` Ian Jackson
2013-06-11 16:00 ` Andrew Cooper
2013-06-11 16:33 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 13/22] libelf: Make all callers call elf_check_broken Ian Jackson
2013-06-07 18:27 ` [PATCH 14/22] libelf: use C99 bool for booleans Ian Jackson
2013-06-10 22:09 ` Andrew Cooper
2013-06-11 7:17 ` Jan Beulich
2013-06-11 14:50 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 15/22] libelf: use only unsigned integers Ian Jackson
2013-06-10 18:28 ` Andrew Cooper
2013-06-11 13:16 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 16/22] libelf: check loops for running away Ian Jackson
2013-06-10 22:56 ` Andrew Cooper
2013-06-11 15:07 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 17/22] libelf: abolish obsolete macros Ian Jackson
2013-06-07 18:27 ` [PATCH 18/22] libxc: Add range checking to xc_dom_binloader Ian Jackson
2013-06-10 21:37 ` Andrew Cooper
2013-06-11 14:46 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 19/22] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range Ian Jackson
2013-06-10 21:09 ` Andrew Cooper
2013-06-11 14:44 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 20/22] libxc: check return values from malloc Ian Jackson
2013-06-07 18:32 ` Andrew Cooper
2013-06-11 15:53 ` Ian Jackson
2013-06-10 20:38 ` Andrew Cooper
2013-06-11 14:31 ` Ian Jackson
2013-06-07 18:27 ` [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest Ian Jackson
2013-06-07 18:33 ` Andrew Cooper
2013-06-08 12:05 ` Andrew Cooper
2013-06-11 15:58 ` Ian Jackson
2013-06-11 16:19 ` Tim Deegan
2013-06-07 18:27 ` [PATCH 22/22] libxc: check blob size before proceeding in xc_dom_check_gzip Ian Jackson
2013-06-10 20:10 ` Andrew Cooper
2013-06-11 13:46 ` Ian Jackson
2013-06-10 23:44 ` [PATCH v6 00/22] XSA55 libelf fixes for unstable Andrew Cooper
-- strict thread matches above, loose matches on Subject: below --
2013-06-07 18:35 [PATCH v6 00/22] XSA55 libelf fixes for Xen 4.2 Ian Jackson
2013-06-07 18:35 ` [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
2013-06-11 18:20 [PATCH v7 00/22] XSA55 libelf fixes for unstable Ian Jackson
2013-06-11 18:20 ` [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
2013-06-11 19:03 ` Andrew Cooper
2013-06-11 18:22 [PATCH v7 00/22] XSA55 libelf fixes for Xen 4.2 Ian Jackson
2013-06-11 18:22 ` [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51B65B8D.9070009@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=mattjd@gmail.com \
--cc=security@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).