From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Daley <mattjd@gmail.com>
Subject: Re: [PATCH 4 00/16] XSA55 libelf fixes for unstable
Date: Fri, 7 Jun 2013 15:35:52 +1200
Message-ID: <CA+nUz_+gkCiTKkFHfBSFSd0Vj_v1zyDxHUphAhref_zArKABJQ@mail.gmail.com>
References: <1370368803-9436-1-git-send-email-ian.jackson@eu.citrix.com>
	<CA+nUz_+sTLCtymN=SEpPxR0n30YcTWpb2zSebGp8Uwdc7DL8yA@mail.gmail.com>
	<20912.55123.351688.230616@mariner.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <20912.55123.351688.230616@mariner.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: andrew.cooper3@citrix.com, xen-devel@lists.xensource.com, security@xen.org
List-Id: xen-devel@lists.xenproject.org

On Fri, Jun 7, 2013 at 6:39 AM, Ian Jackson <Ian.Jackson@eu.citrix.com> wrote:
> Matthew Daley writes ("Re: [PATCH 4 00/16] XSA55 libelf fixes for unstable"):
>> Looks like there's another issue that needs fixing up in this XSA
>> (surprise!):
>
> Urgh.
>
>> setup_hypercall_page (in xc_dom_boot.c) calls xc_dom_p2m_guest with an
>> unchecked, user-controlled pfn:
> ...
>> Here, the silly dom->parms.virt_base is leading to an out-of-bounds
>> array access to the guest p2m table.
>
> Thanks.  I have a proposed fix for this, below.  I haven't tested it.
> Can you do so easily ?  It seems a bit remote from the problem but I
> think it should suffice.

Seems to work now in v5:

Starting program: /usr/local/sbin/xl create /dev/null
kernel=\'check/_usr_lib_debug_vmlinux-3_2_0-4-amd64-37bdfe88206dbe6f75d9c6e021fd9b83c27814d2-5873-0_001_1e-06-file.2.0-4-amd64\'\;\
name=\'poop\'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Parsing config from /dev/null
xc: error: panic: xc_dom_boot.c:61: setup_hypercall_page:
HYPERCALL_INIT failed (rc=-1): Internal error
libxl: error: libxl_dom.c:400:libxl__build_pv: xc_dom_boot_image
failed: Permission denied
libxl: error: libxl_create.c:900:domcreate_rebuild_done: cannot
(re-)build domain: -3
[Inferior 1 (process 5459) exited with code 03]