From 127c78b8b7615b2e895a879792f4b0b825a02a81 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Fri, 26 Oct 2012 16:09:29 +0100 Subject: libxc: builder: limit maximum size of kernel/ramdisk. Allowing user supplied kernels of arbitrary sizes, especially during decompression, can swallow up dom0 memory leading to either virtual address space exhaustion in the builder process or allocation failures/OOM killing of both toolstack and unrelated processes. We disable these checks when building in a stub domain for pvgrub since this uses the guest's own memory and is isolated. Decompression of gzip compressed kernels and ramdisks has been safe since 14954:58205257517d (Xen 3.1.0 onwards). This is XSA-25 / CVE-2012-4544. Also make explicit checks for buffer overflows in various decompression routines. These were already ruled out due to other properties of the code but check them as a belt-and-braces measure. Signed-off-by: Ian Campbell Acked-by: Ian Jackson --- stubdom/grub/kexec.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'stubdom') diff --git a/stubdom/grub/kexec.c b/stubdom/grub/kexec.c index 06bef52ac2..b21c91ae99 100644 --- a/stubdom/grub/kexec.c +++ b/stubdom/grub/kexec.c @@ -137,6 +137,10 @@ void kexec(void *kernel, long kernel_size, void *module, long module_size, char dom = xc_dom_allocate(xc_handle, cmdline, features); dom->allocate = kexec_allocate; + /* We are using guest owned memory, therefore no limits. */ + xc_dom_kernel_max_size(dom, 0); + xc_dom_ramdisk_max_size(dom, 0); + dom->kernel_blob = kernel; dom->kernel_size = kernel_size; -- cgit v1.2.3