From: George Dunlap <george.dunlap@eu.citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
mattjd@gmail.com, security@xen.org
Subject: Re: [PATCH 18/23] libxc: Add range checking to xc_dom_binloader
Date: Fri, 14 Jun 2013 16:29:06 +0100 [thread overview]
Message-ID: <51BB36C2.4000709@eu.citrix.com> (raw)
In-Reply-To: <20923.13768.315739.369184@mariner.uk.xensource.com>
On 14/06/13 16:24, Ian Jackson wrote:
> George Dunlap writes ("Re: [Xen-devel] [PATCH 18/23] libxc: Add range checking to xc_dom_binloader"):
>> I think disturbing it in a way that is obviously correct is better than
>> disturbing it in a way that looks redundant.
> That's an argument.
>
> How about this then ?
> (diff against previous tip followed by revised patch)
>
> Ian.
>
> commit 202da02f40b1806138419002c3e29dc8ce0e88c2
> Author: Ian Jackson <ian.jackson@eu.citrix.com>
> Date: Fri Jun 14 16:23:44 2013 +0100
>
> Use clearer code for calculating probe_end
>
> diff --git a/.topmsg b/.topmsg
> index c5cff24..1e1b932 100644
> --- a/.topmsg
> +++ b/.topmsg
> @@ -25,6 +25,8 @@ This is part of the fix to a security issue, XSA-55.
> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
>
> +v9: Use clearer code for calculating probe_end in find_table.
> +
> v6: Add a missing `return -EINVAL' (Matthew Daley).
> Fix an error in the commit message (Matthew Daley).
>
> diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c
> index 7eaf071..6469a65 100644
> --- a/tools/libxc/xc_dom_binloader.c
> +++ b/tools/libxc/xc_dom_binloader.c
> @@ -126,10 +126,10 @@ static struct xen_bin_image_table *find_table(struct xc_dom_image *dom)
> if ( dom->kernel_size < sizeof(*table) )
> return NULL;
> probe_ptr = dom->kernel_blob;
> - probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
> - if ( dom->kernel_size >= 8192 &&
> - (void*)probe_end > (dom->kernel_blob + 8192) )
> + if ( dom->kernel_size > (8192 + sizeof(*table)) )
> probe_end = dom->kernel_blob + 8192;
> + else
> + probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
>
> for ( table = NULL; probe_ptr < probe_end; probe_ptr++ )
> {
>
>
>
> From: Ian Jackson <ian.jackson@eu.citrix.com>
> Subject: [PATCH] libxc: Add range checking to xc_dom_binloader
>
> This is a simple binary image loader with its own metadata format.
> However, it is too careless with image-supplied values.
>
> Add the following checks:
>
> * That the image is bigger than the metadata table; otherwise the
> pointer arithmetic to calculate the metadata table location may
> yield undefined and dangerous values.
>
> * When clamping the end of the region to search, that we do not
> calculate pointers beyond the end of the image. The C
> specification does not permit this and compilers are becoming ever
> more determined to miscompile code when they can "prove" various
> falsehoods based on assertions from the C spec.
>
> * That the supplied image is big enough for the text we are allegedly
> copying from it. Otherwise we might have a read overrun and copy
> the results (perhaps a lot of secret data) into the guest.
>
> This is part of the fix to a security issue, XSA-55.
>
> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
This looks good -- thanks:
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
next prev parent reply other threads:[~2013-06-14 15:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-13 18:14 [PATCH v8 00/23] XSA55 libelf fixes for unstable Ian Jackson
2013-06-13 18:14 ` [PATCH 01/23] libelf: abolish libelf-relocate.c Ian Jackson
2013-06-13 18:14 ` [PATCH 02/23] libxc: introduce xc_dom_seg_to_ptr_pages Ian Jackson
2013-06-13 18:14 ` [PATCH 03/23] libxc: Fix range checking in xc_dom_pfn_to_ptr etc Ian Jackson
2013-06-13 18:14 ` [PATCH 04/23] libelf: add `struct elf_binary*' parameter to elf_load_image Ian Jackson
2013-06-13 18:14 ` [PATCH 05/23] libelf: abolish elf_sval and elf_access_signed Ian Jackson
2013-06-13 18:14 ` [PATCH 06/23] libelf: move include of <asm/guest_access.h> to top of file Ian Jackson
2013-06-13 18:14 ` [PATCH 07/23] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised Ian Jackson
2013-06-13 18:14 ` [PATCH 08/23] libelf: introduce macros for memory access and pointer handling Ian Jackson
2013-06-13 18:14 ` [PATCH 09/23] tools/xcutils/readnotes: adjust print_l1_mfn_valid_note Ian Jackson
2013-06-13 18:14 ` [PATCH 10/23] libelf: check nul-terminated strings properly Ian Jackson
2013-06-13 18:14 ` [PATCH 11/23] libelf: check all pointer accesses Ian Jackson
2013-06-13 18:14 ` [PATCH 12/23] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
2013-06-13 18:14 ` [PATCH 13/23] libelf: Make all callers call elf_check_broken Ian Jackson
2013-06-13 18:14 ` [PATCH 14/23] libelf: use C99 bool for booleans Ian Jackson
2013-06-13 18:14 ` [PATCH 15/23] libelf: use only unsigned integers Ian Jackson
2013-06-13 18:14 ` [PATCH 16/23] libelf: check loops for running away Ian Jackson
2013-06-13 18:14 ` [PATCH 17/23] libelf: abolish obsolete macros Ian Jackson
2013-06-13 18:14 ` [PATCH 18/23] libxc: Add range checking to xc_dom_binloader Ian Jackson
2013-06-14 14:53 ` George Dunlap
2013-06-14 15:03 ` Ian Jackson
2013-06-14 15:09 ` George Dunlap
2013-06-14 15:12 ` George Dunlap
2013-06-14 15:13 ` George Dunlap
2013-06-14 15:14 ` Ian Jackson
2013-06-14 15:19 ` George Dunlap
2013-06-14 15:24 ` Ian Jackson
2013-06-14 15:29 ` George Dunlap [this message]
2013-06-13 18:14 ` [PATCH 19/23] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range Ian Jackson
2013-06-13 18:14 ` [PATCH 20/23] libxc: check return values from malloc Ian Jackson
2013-06-13 18:15 ` [PATCH 21/23] libxc: range checks in xc_dom_p2m_host and _guest Ian Jackson
2013-06-13 18:15 ` [PATCH 22/23] libxc: check blob size before proceeding in xc_dom_check_gzip Ian Jackson
2013-06-13 18:15 ` [PATCH 23/23] libxc: Better range check in xc_dom_alloc_segment Ian Jackson
2013-06-13 18:18 ` [PATCH v8 00/23] XSA55 libelf fixes for unstable Ian Jackson
-- strict thread matches above, loose matches on Subject: below --
2013-06-13 18:18 [PATCH v8 00/22] XSA55 libelf fixes for Xen 4.2 Ian Jackson
2013-06-13 18:18 ` [PATCH 18/23] libxc: Add range checking to xc_dom_binloader Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51BB36C2.4000709@eu.citrix.com \
--to=george.dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=mattjd@gmail.com \
--cc=security@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).