diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:45:38 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:45:38 +0100 |
commit | 9962d7ffcce97ec2d69a15ef861996b1ead33694 (patch) | |
tree | e66a35dfaffc749012ee6b12179bc5d996db2e1d /tools | |
parent | 39923542bb43e67776c4e8292d4a5a1adef2bd3b (diff) | |
download | xen-9962d7ffcce97ec2d69a15ef861996b1ead33694.tar.gz xen-9962d7ffcce97ec2d69a15ef861996b1ead33694.tar.bz2 xen-9962d7ffcce97ec2d69a15ef861996b1ead33694.zip |
libelf: Check pointer references in elf_is_elfbinary
elf_is_elfbinary didn't take a length parameter and could potentially
access out of range when provided with a very short image.
We only need to check the size is enough for the actual dereference in
elf_is_elfbinary; callers are just using it to check the magic number
and do their own checks (usually via the new elf_ptrval system) before
dereferencing other parts of the header.
This is part of the fix to a security issue, XSA-55.
Conflicts in 4.1 backport:
* xen/arch/x86/bzimage.c in 4.1 doesn't use elf_is_elfbinary.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/libxc/xc_dom_elfloader.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c index b10790a537..945df7a2aa 100644 --- a/tools/libxc/xc_dom_elfloader.c +++ b/tools/libxc/xc_dom_elfloader.c @@ -95,7 +95,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose) return -EINVAL; } - if ( !elf_is_elfbinary(dom->kernel_blob) ) + if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) ) { if ( verbose ) xc_dom_panic(dom->xch, |