|
|
1c5bb4e |
From 9962d7ffcce97ec2d69a15ef861996b1ead33694 Mon Sep 17 00:00:00 2001
|
|
|
e2ce63b |
From: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
1c5bb4e |
Date: Fri, 14 Jun 2013 16:45:38 +0100
|
|
|
1c5bb4e |
Subject: [PATCH 10/21] libelf: Check pointer references in elf_is_elfbinary
|
|
|
e2ce63b |
|
|
|
e2ce63b |
elf_is_elfbinary didn't take a length parameter and could potentially
|
|
|
e2ce63b |
access out of range when provided with a very short image.
|
|
|
e2ce63b |
|
|
|
1c5bb4e |
We only need to check the size is enough for the actual dereference in
|
|
|
1c5bb4e |
elf_is_elfbinary; callers are just using it to check the magic number
|
|
|
1c5bb4e |
and do their own checks (usually via the new elf_ptrval system) before
|
|
|
1c5bb4e |
dereferencing other parts of the header.
|
|
|
1c5bb4e |
|
|
|
1c5bb4e |
This is part of the fix to a security issue, XSA-55.
|
|
|
1c5bb4e |
|
|
|
1c5bb4e |
Conflicts in 4.1 backport:
|
|
|
1c5bb4e |
* xen/arch/x86/bzimage.c in 4.1 doesn't use elf_is_elfbinary.
|
|
|
1c5bb4e |
|
|
|
e2ce63b |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
e2ce63b |
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
|
|
e2ce63b |
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
|
e2ce63b |
---
|
|
|
e2ce63b |
tools/libxc/xc_dom_elfloader.c | 2 +-
|
|
|
e2ce63b |
xen/common/libelf/libelf-loader.c | 2 +-
|
|
|
e2ce63b |
xen/common/libelf/libelf-tools.c | 9 ++++++---
|
|
|
1c5bb4e |
xen/include/xen/libelf.h | 4 +++-
|
|
|
1c5bb4e |
4 files changed, 11 insertions(+), 6 deletions(-)
|
|
|
e2ce63b |
|
|
|
e2ce63b |
diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
|
|
|
1c5bb4e |
index b10790a..945df7a 100644
|
|
|
e2ce63b |
--- a/tools/libxc/xc_dom_elfloader.c
|
|
|
e2ce63b |
+++ b/tools/libxc/xc_dom_elfloader.c
|
|
|
e2ce63b |
@@ -95,7 +95,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose)
|
|
|
e2ce63b |
return -EINVAL;
|
|
|
e2ce63b |
}
|
|
|
e2ce63b |
|
|
|
e2ce63b |
- if ( !elf_is_elfbinary(dom->kernel_blob) )
|
|
|
e2ce63b |
+ if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) )
|
|
|
e2ce63b |
{
|
|
|
e2ce63b |
if ( verbose )
|
|
|
e2ce63b |
xc_dom_panic(dom->xch,
|
|
|
e2ce63b |
diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
|
|
|
e2ce63b |
index 7bf5e33..96b0fe5 100644
|
|
|
e2ce63b |
--- a/xen/common/libelf/libelf-loader.c
|
|
|
e2ce63b |
+++ b/xen/common/libelf/libelf-loader.c
|
|
|
e2ce63b |
@@ -25,7 +25,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size)
|
|
|
e2ce63b |
ELF_HANDLE_DECL(elf_shdr) shdr;
|
|
|
e2ce63b |
uint64_t i, count, section, offset;
|
|
|
e2ce63b |
|
|
|
e2ce63b |
- if ( !elf_is_elfbinary(image_input) )
|
|
|
e2ce63b |
+ if ( !elf_is_elfbinary(image_input, size) )
|
|
|
e2ce63b |
{
|
|
|
e2ce63b |
elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__);
|
|
|
e2ce63b |
return -1;
|
|
|
e2ce63b |
diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
|
|
|
1c5bb4e |
index 4a893f7..3419f0c 100644
|
|
|
e2ce63b |
--- a/xen/common/libelf/libelf-tools.c
|
|
|
e2ce63b |
+++ b/xen/common/libelf/libelf-tools.c
|
|
|
1c5bb4e |
@@ -311,11 +311,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(
|
|
|
e2ce63b |
|
|
|
e2ce63b |
/* ------------------------------------------------------------------------ */
|
|
|
e2ce63b |
|
|
|
e2ce63b |
-int elf_is_elfbinary(const void *image)
|
|
|
e2ce63b |
+int elf_is_elfbinary(const void *image_start, size_t image_size)
|
|
|
e2ce63b |
{
|
|
|
e2ce63b |
- const Elf32_Ehdr *ehdr = image;
|
|
|
e2ce63b |
+ const Elf32_Ehdr *ehdr = image_start;
|
|
|
e2ce63b |
|
|
|
e2ce63b |
- return IS_ELF(*ehdr); /* fixme unchecked */
|
|
|
e2ce63b |
+ if ( image_size < sizeof(*ehdr) )
|
|
|
e2ce63b |
+ return 0;
|
|
|
e2ce63b |
+
|
|
|
e2ce63b |
+ return IS_ELF(*ehdr);
|
|
|
e2ce63b |
}
|
|
|
e2ce63b |
|
|
|
e2ce63b |
int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
|
|
|
e2ce63b |
diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
|
|
|
1c5bb4e |
index 827fcfd..8698f67 100644
|
|
|
e2ce63b |
--- a/xen/include/xen/libelf.h
|
|
|
e2ce63b |
+++ b/xen/include/xen/libelf.h
|
|
|
1c5bb4e |
@@ -350,7 +350,9 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_
|
|
|
e2ce63b |
uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
|
|
|
e2ce63b |
ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
|
|
|
e2ce63b |
|
|
|
e2ce63b |
-int elf_is_elfbinary(const void *image);
|
|
|
1c5bb4e |
+/* (Only) checks that the image has the right magic number. */
|
|
|
e2ce63b |
+int elf_is_elfbinary(const void *image_start, size_t image_size);
|
|
|
1c5bb4e |
+
|
|
|
e2ce63b |
int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
|
|
|
e2ce63b |
|
|
|
e2ce63b |
/* ------------------------------------------------------------------------ */
|
|
|
e2ce63b |
--
|
|
|
e2ce63b |
1.7.2.5
|
|
|
e2ce63b |
|