diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
commit | c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 (patch) | |
tree | 6f44535f73cdc2984bbcbc895558a02542d232c6 /xen/arch/x86/domain_build.c | |
parent | 943de71cf07d9d04ccb215bd46153b04930e9f25 (diff) | |
download | xen-c84481fbc7de7d15ff7476b3b9cd2713f81feaa3.tar.gz xen-c84481fbc7de7d15ff7476b3b9cd2713f81feaa3.tar.bz2 xen-c84481fbc7de7d15ff7476b3b9cd2713f81feaa3.zip |
libelf: Make all callers call elf_check_broken
This arranges that if the new pointer reference error checking
tripped, we actually get a message about it. In this patch these
messages do not change the actual return values from the various
functions: so pointer reference errors do not prevent loading. This
is for fear that some existing kernels might cause the code to make
these wild references, which would then break, which is not a good
thing in a security patch.
In xen/arch/x86/domain_build.c we have to introduce an "out" label and
change all of the "return rc" beyond the relevant point into "goto
out".
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v5: Fix two whitespace errors.
v3.1:
Add error check to xc_dom_parse_elf_kernel.
Move check in xc_hvm_build_x86.c:setup_guest to right place.
v2 was Acked-by: Ian Campbell <ian.campbell@citrix.com>
v2 was Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
v2: Style fixes.
Diffstat (limited to 'xen/arch/x86/domain_build.c')
-rw-r--r-- | xen/arch/x86/domain_build.c | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c index db31a91154..03fe845e4b 100644 --- a/xen/arch/x86/domain_build.c +++ b/xen/arch/x86/domain_build.c @@ -380,7 +380,7 @@ int __init construct_dom0( #endif elf_parse_binary(&elf); if ( (rc = elf_xen_parse(&elf, &parms)) != 0 ) - return rc; + goto out; /* compatibility check */ compatible = 0; @@ -408,14 +408,16 @@ int __init construct_dom0( if ( !compatible ) { printk("Mismatch between Xen and DOM0 kernel\n"); - return -EINVAL; + rc = -EINVAL; + goto out; } if ( parms.elf_notes[XEN_ELFNOTE_SUPPORTED_FEATURES].type != XEN_ENT_NONE && !test_bit(XENFEAT_dom0, parms.f_supported) ) { printk("Kernel does not support Dom0 operation\n"); - return -EINVAL; + rc = -EINVAL; + goto out; } if ( compat32 ) @@ -596,7 +598,8 @@ int __init construct_dom0( (v_end > HYPERVISOR_COMPAT_VIRT_START(d)) ) { printk("DOM0 image overlaps with Xen private area.\n"); - return -EINVAL; + rc = -EINVAL; + goto out; } if ( is_pv_32on64_domain(d) ) @@ -771,7 +774,7 @@ int __init construct_dom0( if ( rc < 0 ) { printk("Failed to load the kernel binary\n"); - return rc; + goto out; } bootstrap_map(NULL); @@ -783,7 +786,8 @@ int __init construct_dom0( mapcache_override_current(NULL); write_ptbase(current); printk("Invalid HYPERCALL_PAGE field in ELF notes.\n"); - return -1; + rc = -1; + goto out; } hypercall_page_initialise( d, (void *)(unsigned long)parms.virt_hypercall); @@ -1133,9 +1137,19 @@ int __init construct_dom0( BUG_ON(rc != 0); - iommu_dom0_init(dom0); + if ( elf_check_broken(&elf) ) + printk(" Xen warning: dom0 kernel broken ELF: %s\n", + elf_check_broken(&elf)); + iommu_dom0_init(dom0); return 0; + +out: + if ( elf_check_broken(&elf) ) + printk(" Xen dom0 kernel broken ELF: %s\n", + elf_check_broken(&elf)); + + return rc; } /* |