From 9962d7ffcce97ec2d69a15ef861996b1ead33694 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Fri, 14 Jun 2013 16:45:38 +0100 Subject: [PATCH 10/21] libelf: Check pointer references in elf_is_elfbinary elf_is_elfbinary didn't take a length parameter and could potentially access out of range when provided with a very short image. We only need to check the size is enough for the actual dereference in elf_is_elfbinary; callers are just using it to check the magic number and do their own checks (usually via the new elf_ptrval system) before dereferencing other parts of the header. This is part of the fix to a security issue, XSA-55. Conflicts in 4.1 backport: * xen/arch/x86/bzimage.c in 4.1 doesn't use elf_is_elfbinary. Signed-off-by: Ian Jackson Acked-by: Ian Campbell Reviewed-by: Konrad Rzeszutek Wilk --- tools/libxc/xc_dom_elfloader.c | 2 +- xen/common/libelf/libelf-loader.c | 2 +- xen/common/libelf/libelf-tools.c | 9 ++++++--- xen/include/xen/libelf.h | 4 +++- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c index b10790a..945df7a 100644 --- a/tools/libxc/xc_dom_elfloader.c +++ b/tools/libxc/xc_dom_elfloader.c @@ -95,7 +95,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose) return -EINVAL; } - if ( !elf_is_elfbinary(dom->kernel_blob) ) + if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) ) { if ( verbose ) xc_dom_panic(dom->xch, diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c index 7bf5e33..96b0fe5 100644 --- a/xen/common/libelf/libelf-loader.c +++ b/xen/common/libelf/libelf-loader.c @@ -25,7 +25,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size) ELF_HANDLE_DECL(elf_shdr) shdr; uint64_t i, count, section, offset; - if ( !elf_is_elfbinary(image_input) ) + if ( !elf_is_elfbinary(image_input, size) ) { elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__); return -1; diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c index 4a893f7..3419f0c 100644 --- a/xen/common/libelf/libelf-tools.c +++ b/xen/common/libelf/libelf-tools.c @@ -311,11 +311,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL( /* ------------------------------------------------------------------------ */ -int elf_is_elfbinary(const void *image) +int elf_is_elfbinary(const void *image_start, size_t image_size) { - const Elf32_Ehdr *ehdr = image; + const Elf32_Ehdr *ehdr = image_start; - return IS_ELF(*ehdr); /* fixme unchecked */ + if ( image_size < sizeof(*ehdr) ) + return 0; + + return IS_ELF(*ehdr); } int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr) diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h index 827fcfd..8698f67 100644 --- a/xen/include/xen/libelf.h +++ b/xen/include/xen/libelf.h @@ -350,7 +350,9 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_ uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); -int elf_is_elfbinary(const void *image); +/* (Only) checks that the image has the right magic number. */ +int elf_is_elfbinary(const void *image_start, size_t image_size); + int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); /* ------------------------------------------------------------------------ */ -- 1.7.2.5