From: George Dunlap <george.dunlap@eu.citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
mattjd@gmail.com, security@xen.org
Subject: Re: [PATCH 18/23] libxc: Add range checking to xc_dom_binloader
Date: Fri, 14 Jun 2013 16:09:15 +0100 [thread overview]
Message-ID: <51BB321B.80800@eu.citrix.com> (raw)
In-Reply-To: <20923.12455.79753.831636@mariner.uk.xensource.com>
On 14/06/13 16:03, Ian Jackson wrote:
> George Dunlap writes ("Re: [Xen-devel] [PATCH 18/23] libxc: Add range checking to xc_dom_binloader"):
>> On Thu, Jun 13, 2013 at 7:14 PM, Ian Jackson <ian.jackson@eu.citrix.com> wrote:
>>> * When clamping the end of the region to search, that we do not
>>> calculate pointers beyond the end of the image. The C
>>> specification does not permit this and compilers are becoming ever
>>> more determined to miscompile code when they can "prove" various
>>> falsehoods based on assertions from the C spec.
> ...
>>> + if ( dom->kernel_size < sizeof(*table) )
>>> + return NULL;
>>> probe_ptr = dom->kernel_blob;
>>> probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
>>> - if ( (void*)probe_end > (dom->kernel_blob + 8192) )
>>> + if ( dom->kernel_size >= 8192 &&
>>> + (void*)probe_end > (dom->kernel_blob + 8192) )
>>> probe_end = dom->kernel_blob + 8192;
>> Wait, what's going on here? Isn't the point of this check originally
>> that "probe_end" might be pointing off into nowhere, and you're going
>> to "clip" it into pointing somewhere reasonable?
> No. The (undocumented) format being parsed here is that the info
> table should start no later than 8k into the file. probe_end is the
> first address to no longer look for the table at.
>
> Firstly we set probe_end to the end of the image minus the table
> length - which would imply searching the whole image. The (original
> and unchanged) purpose of the if statement and assignment is to limit
> this to 8192 bytes from the start of the image.
>
> However there is a bug: if the image is less than 8k long, this
> involves computing a wild pointer (which is forbidden). So in my
> patch I add an additional test.
>
>> It doesn't look like you've actually changed any pointer arithmetic --
>> if either probe_end or dom->kernel_blob + 8192 are wild, then they'll
>> still be wild after this check, won't they?
> The initial value of probe_end is guaranteed not to be wild.
>
> Before my change dom->kernel_blob + 8192 might be computed even if
> it is wild; after my change it is only computed if it is guaranteed
> not to be.
Oh, I see -- right; so if "dom->kernel_size < 8192", then
"dom->kernel_blob+8192" might be wild; but as long as "dom->kernel_size
> 8192", then "dom->kernel_blob + 8192" will be fine.
And if dom->kernel_size < 8192, then probe_end will already be <
dom->kernel_blob+8192, so we don't need to clip things.
Might be nice to put a comment here, so people coming later can make
sense out of this. Even if people read the changeset description, they
may, like me, not be able to suss out which calculation is in danger of
being wild.
Other than that:
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
next prev parent reply other threads:[~2013-06-14 15:09 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-13 18:14 [PATCH v8 00/23] XSA55 libelf fixes for unstable Ian Jackson
2013-06-13 18:14 ` [PATCH 01/23] libelf: abolish libelf-relocate.c Ian Jackson
2013-06-13 18:14 ` [PATCH 02/23] libxc: introduce xc_dom_seg_to_ptr_pages Ian Jackson
2013-06-13 18:14 ` [PATCH 03/23] libxc: Fix range checking in xc_dom_pfn_to_ptr etc Ian Jackson
2013-06-13 18:14 ` [PATCH 04/23] libelf: add `struct elf_binary*' parameter to elf_load_image Ian Jackson
2013-06-13 18:14 ` [PATCH 05/23] libelf: abolish elf_sval and elf_access_signed Ian Jackson
2013-06-13 18:14 ` [PATCH 06/23] libelf: move include of <asm/guest_access.h> to top of file Ian Jackson
2013-06-13 18:14 ` [PATCH 07/23] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised Ian Jackson
2013-06-13 18:14 ` [PATCH 08/23] libelf: introduce macros for memory access and pointer handling Ian Jackson
2013-06-13 18:14 ` [PATCH 09/23] tools/xcutils/readnotes: adjust print_l1_mfn_valid_note Ian Jackson
2013-06-13 18:14 ` [PATCH 10/23] libelf: check nul-terminated strings properly Ian Jackson
2013-06-13 18:14 ` [PATCH 11/23] libelf: check all pointer accesses Ian Jackson
2013-06-13 18:14 ` [PATCH 12/23] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
2013-06-13 18:14 ` [PATCH 13/23] libelf: Make all callers call elf_check_broken Ian Jackson
2013-06-13 18:14 ` [PATCH 14/23] libelf: use C99 bool for booleans Ian Jackson
2013-06-13 18:14 ` [PATCH 15/23] libelf: use only unsigned integers Ian Jackson
2013-06-13 18:14 ` [PATCH 16/23] libelf: check loops for running away Ian Jackson
2013-06-13 18:14 ` [PATCH 17/23] libelf: abolish obsolete macros Ian Jackson
2013-06-13 18:14 ` [PATCH 18/23] libxc: Add range checking to xc_dom_binloader Ian Jackson
2013-06-14 14:53 ` George Dunlap
2013-06-14 15:03 ` Ian Jackson
2013-06-14 15:09 ` George Dunlap [this message]
2013-06-14 15:12 ` George Dunlap
2013-06-14 15:13 ` George Dunlap
2013-06-14 15:14 ` Ian Jackson
2013-06-14 15:19 ` George Dunlap
2013-06-14 15:24 ` Ian Jackson
2013-06-14 15:29 ` George Dunlap
2013-06-13 18:14 ` [PATCH 19/23] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range Ian Jackson
2013-06-13 18:14 ` [PATCH 20/23] libxc: check return values from malloc Ian Jackson
2013-06-13 18:15 ` [PATCH 21/23] libxc: range checks in xc_dom_p2m_host and _guest Ian Jackson
2013-06-13 18:15 ` [PATCH 22/23] libxc: check blob size before proceeding in xc_dom_check_gzip Ian Jackson
2013-06-13 18:15 ` [PATCH 23/23] libxc: Better range check in xc_dom_alloc_segment Ian Jackson
2013-06-13 18:18 ` [PATCH v8 00/23] XSA55 libelf fixes for unstable Ian Jackson
-- strict thread matches above, loose matches on Subject: below --
2013-06-13 18:18 [PATCH v8 00/22] XSA55 libelf fixes for Xen 4.2 Ian Jackson
2013-06-13 18:18 ` [PATCH 18/23] libxc: Add range checking to xc_dom_binloader Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51BB321B.80800@eu.citrix.com \
--to=george.dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=mattjd@gmail.com \
--cc=security@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).