1 From b06e277b1fc08c7da3befeb3ac3950e1d941585d Mon Sep 17 00:00:00 2001
2 From: Ian Jackson <ian.jackson@eu.citrix.com>
3 Date: Fri, 14 Jun 2013 16:43:19 +0100
4 Subject: [PATCH 18/23] libxc: Add range checking to xc_dom_binloader
6 This is a simple binary image loader with its own metadata format.
7 However, it is too careless with image-supplied values.
9 Add the following checks:
11 * That the image is bigger than the metadata table; otherwise the
12 pointer arithmetic to calculate the metadata table location may
13 yield undefined and dangerous values.
15 * When clamping the end of the region to search, that we do not
16 calculate pointers beyond the end of the image. The C
17 specification does not permit this and compilers are becoming ever
18 more determined to miscompile code when they can "prove" various
19 falsehoods based on assertions from the C spec.
21 * That the supplied image is big enough for the text we are allegedly
22 copying from it. Otherwise we might have a read overrun and copy
23 the results (perhaps a lot of secret data) into the guest.
25 This is part of the fix to a security issue, XSA-55.
27 Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
29 tools/libxc/xc_dom_binloader.c | 15 +++++++++++++--
30 1 files changed, 13 insertions(+), 2 deletions(-)
32 diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c
33 index bde93f7..8596a28 100644
34 --- a/tools/libxc/xc_dom_binloader.c
35 +++ b/tools/libxc/xc_dom_binloader.c
36 @@ -123,10 +123,13 @@ static struct xen_bin_image_table *find_table(struct xc_dom_image *dom)
40 + if ( dom->kernel_size < sizeof(*table) )
42 probe_ptr = dom->kernel_blob;
43 - probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
44 - if ( (void*)probe_end > (dom->kernel_blob + 8192) )
45 + if ( dom->kernel_size > (8192 + sizeof(*table)) )
46 probe_end = dom->kernel_blob + 8192;
48 + probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
50 for ( table = NULL; probe_ptr < probe_end; probe_ptr++ )
52 @@ -282,6 +285,14 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom)
56 + if ( image_size < skip ||
57 + image_size - skip < text_size )
59 + DOMPRINTF("%s: image is too small for declared text size",
64 memcpy(dest, image + skip, text_size);
65 memset(dest + text_size, 0, bss_size);