diff options
author | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-10-26 16:10:04 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-10-26 16:10:04 +0100 |
commit | 7ce4c765975097bddffaa2fc482d5c16355687af (patch) | |
tree | fffeae88973e499748bf47fb6f363b77ec4932b6 /stubdom/grub | |
parent | 27fa8889f4d8bc85ae695616de48804f2b10dc58 (diff) | |
download | xen-7ce4c765975097bddffaa2fc482d5c16355687af.tar.gz xen-7ce4c765975097bddffaa2fc482d5c16355687af.tar.bz2 xen-7ce4c765975097bddffaa2fc482d5c16355687af.zip |
libxc: builder: limit maximum size of kernel/ramdisk.
Allowing user supplied kernels of arbitrary sizes, especially during
decompression, can swallow up dom0 memory leading to either virtual
address space exhaustion in the builder process or allocation
failures/OOM killing of both toolstack and unrelated processes.
We disable these checks when building in a stub domain for pvgrub
since this uses the guest's own memory and is isolated.
Decompression of gzip compressed kernels and ramdisks has been safe
since 14954:58205257517d (Xen 3.1.0 onwards).
This is XSA-25 / CVE-2012-4544.
Also make explicit checks for buffer overflows in various
decompression routines. These were already ruled out due to other
properties of the code but check them as a belt-and-braces measure.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
[ Includes 25589:60f09d1ab1fe for CVE-2012-2625 ]
Diffstat (limited to 'stubdom/grub')
-rw-r--r-- | stubdom/grub/kexec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/stubdom/grub/kexec.c b/stubdom/grub/kexec.c index 06bef52ac2..b21c91ae99 100644 --- a/stubdom/grub/kexec.c +++ b/stubdom/grub/kexec.c @@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_size, void *module, long module_size, char dom = xc_dom_allocate(xc_handle, cmdline, features); dom->allocate = kexec_allocate; + /* We are using guest owned memory, therefore no limits. */ + xc_dom_kernel_max_size(dom, 0); + xc_dom_ramdisk_max_size(dom, 0); + dom->kernel_blob = kernel; dom->kernel_size = kernel_size; |