diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
commit | 943de71cf07d9d04ccb215bd46153b04930e9f25 (patch) | |
tree | 0a2ac34b2bf39b2b4185ef398ee5471c73370540 /xen/common | |
parent | 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 (diff) | |
download | xen-943de71cf07d9d04ccb215bd46153b04930e9f25.tar.gz xen-943de71cf07d9d04ccb215bd46153b04930e9f25.tar.bz2 xen-943de71cf07d9d04ccb215bd46153b04930e9f25.zip |
libelf: Check pointer references in elf_is_elfbinary
elf_is_elfbinary didn't take a length parameter and could potentially
access out of range when provided with a very short image.
We only need to check the size is enough for the actual dereference in
elf_is_elfbinary; callers are just using it to check the magic number
and do their own checks (usually via the new elf_ptrval system) before
dereferencing other parts of the header.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v7: Add a comment about the limited function of elf_is_elfbinary.
v2: Style fix.
Fix commit message subject.
Diffstat (limited to 'xen/common')
-rw-r--r-- | xen/common/libelf/libelf-loader.c | 2 | ||||
-rw-r--r-- | xen/common/libelf/libelf-tools.c | 9 |
2 files changed, 7 insertions, 4 deletions
diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c index 878552ef08..6c43c34619 100644 --- a/xen/common/libelf/libelf-loader.c +++ b/xen/common/libelf/libelf-loader.c @@ -29,7 +29,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size) ELF_HANDLE_DECL(elf_shdr) shdr; uint64_t i, count, section, offset; - if ( !elf_is_elfbinary(image_input) ) + if ( !elf_is_elfbinary(image_input, size) ) { elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__); return -1; diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c index 08ab0279de..b613593786 100644 --- a/xen/common/libelf/libelf-tools.c +++ b/xen/common/libelf/libelf-tools.c @@ -332,11 +332,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL( /* ------------------------------------------------------------------------ */ -int elf_is_elfbinary(const void *image) +int elf_is_elfbinary(const void *image_start, size_t image_size) { - const Elf32_Ehdr *ehdr = image; + const Elf32_Ehdr *ehdr = image_start; - return IS_ELF(*ehdr); /* fixme unchecked */ + if ( image_size < sizeof(*ehdr) ) + return 0; + + return IS_ELF(*ehdr); } int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) |