diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:39:37 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:37 +0100 |
commit | 2bcee4b3c316379f4b52cb308947eb6db3faf1a0 (patch) | |
tree | 98e1fe95e22c864be94e4bdbffce6ca7d2af0d82 /tools/libxc/xc_dom_armzimageloader.c | |
parent | 66fe2726fe8492676f9970b9c2c511bce6186ece (diff) | |
download | xen-2bcee4b3c316379f4b52cb308947eb6db3faf1a0.tar.gz xen-2bcee4b3c316379f4b52cb308947eb6db3faf1a0.tar.bz2 xen-2bcee4b3c316379f4b52cb308947eb6db3faf1a0.zip |
libxc: Add range checking to xc_dom_binloader
This is a simple binary image loader with its own metadata format.
However, it is too careless with image-supplied values.
Add the following checks:
* That the image is bigger than the metadata table; otherwise the
pointer arithmetic to calculate the metadata table location may
yield undefined and dangerous values.
* When clamping the end of the region to search, that we do not
calculate pointers beyond the end of the image. The C
specification does not permit this and compilers are becoming ever
more determined to miscompile code when they can "prove" various
falsehoods based on assertions from the C spec.
* That the supplied image is big enough for the text we are allegedly
copying from it. Otherwise we might have a read overrun and copy
the results (perhaps a lot of secret data) into the guest.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
v9: Use clearer code for calculating probe_end in find_table.
v6: Add a missing `return -EINVAL' (Matthew Daley).
Fix an error in the commit message (Matthew Daley).
v5: This patch is new in this version of the series.
Diffstat (limited to 'tools/libxc/xc_dom_armzimageloader.c')
0 files changed, 0 insertions, 0 deletions