diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
commit | 943de71cf07d9d04ccb215bd46153b04930e9f25 (patch) | |
tree | 0a2ac34b2bf39b2b4185ef398ee5471c73370540 /xen/include/xen | |
parent | 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 (diff) | |
download | xen-943de71cf07d9d04ccb215bd46153b04930e9f25.tar.gz xen-943de71cf07d9d04ccb215bd46153b04930e9f25.tar.bz2 xen-943de71cf07d9d04ccb215bd46153b04930e9f25.zip |
libelf: Check pointer references in elf_is_elfbinary
elf_is_elfbinary didn't take a length parameter and could potentially
access out of range when provided with a very short image.
We only need to check the size is enough for the actual dereference in
elf_is_elfbinary; callers are just using it to check the magic number
and do their own checks (usually via the new elf_ptrval system) before
dereferencing other parts of the header.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v7: Add a comment about the limited function of elf_is_elfbinary.
v2: Style fix.
Fix commit message subject.
Diffstat (limited to 'xen/include/xen')
-rw-r--r-- | xen/include/xen/libelf.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h index f3f18da225..df93f2cae8 100644 --- a/xen/include/xen/libelf.h +++ b/xen/include/xen/libelf.h @@ -350,7 +350,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), unsigned int unitsz, unsigned int idx); ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); -int elf_is_elfbinary(const void *image); +/* (Only) checks that the image has the right magic number. */ +int elf_is_elfbinary(const void *image_start, size_t image_size); + int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); /* ------------------------------------------------------------------------ */ |