From: "Jan Beulich" <JBeulich@suse.com>
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: xen-devel@lists.xenproject.org
Subject: Re: [PATCH v4 3/4] libelf: rewrite symtab/strtab loading
Date: Mon, 29 Feb 2016 09:41:29 -0700 [thread overview]
Message-ID: <56D482C902000078000D77AC@prv-mh.provo.novell.com> (raw)
In-Reply-To: <56D46FB8.7070304@citrix.com>
>>> On 29.02.16 at 17:20, <roger.pau@citrix.com> wrote:
> El 29/2/16 a les 13:14, Jan Beulich ha escrit:
>>>>> On 29.02.16 at 11:57, <roger.pau@citrix.com> wrote:
>>> El 29/2/16 a les 10:31, Jan Beulich ha escrit:
>>>>>>> On 26.02.16 at 18:02, <roger.pau@citrix.com> wrote:
>>>>>>> - /* Space for the symbol and string tables. */
>>>>>>> + /* Space for the symbol and string table. */
>>>>>>> for ( i = 0; i < elf_shdr_count(elf); i++ )
>>>>>>> {
>>>>>>> shdr = elf_shdr_by_index(elf, i);
>>>>>>> if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
>>>>>>> /* input has an insane section header count field */
>>>>>>> break;
>>>>>>> - type = elf_uval(elf, shdr, sh_type);
>>>>>>> - if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) )
>>>>>>> - sz = elf_round_up(elf, sz + elf_uval(elf, shdr, sh_size));
>>>>>>> +
>>>>>>> + if ( elf_uval(elf, shdr, sh_type) != SHT_SYMTAB )
>>>>>>> + continue;
>>>>>>> +
>>>>>>> + sz = elf_round_up(elf, sz + elf_uval(elf, shdr, sh_size));
>>>>>>> + shdr = elf_shdr_by_index(elf, elf_uval(elf, shdr, sh_link));
>>>>>>> +
>>>>>>> + if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
>>>>>>> + /* input has an insane section header count field */
>>>>>>> + break;
>>>>>>> +
>>>>>>> + if ( elf_uval(elf, shdr, sh_type) != SHT_STRTAB )
>>>>>>> + /* Invalid symtab -> strtab link */
>>>>>>> + break;
>>>>>>
>>>>>> This is not sufficient - what if sh_link is out of bounds, but the
>>>>>> bogusly accessed field happens to hold SHT_STRTAB? (Oddly
>>>>>> enough you have at least an SHN_UNDEF check in the second
>>>>>> loop below.)
>>>>>
>>>>> The out-of-bounds access would be detected by elf_access_ok (if it's out
>>>>> of the scope of the ELF file, which is all we care about). In fact the
>>>>> elf_access_ok above could be removed because elf_uval already performs
>>>>> out-of-bounds checks. The result is definitely no worse that what we are
>>>>> doing ATM.
>>>>
>>>> No, the out of bounds check should be more strict than just
>>>> considering the whole image: The image is broken if the link
>>>> points to a non-existing section.
>>>
>>> Ah, do you mean I should mark the image as broken if either of the
>>> checks fail?
>>
>> Perhaps, but my main point continue to be that there is a check
>> missing here.
>
> I'm quite sure I'm missing something, but what kind of extra checks do
> you envision?
0 < sh_link < elf_shdr_count(elf)
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-02-29 16:41 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-16 17:37 [PATCH v4 0/4] Assorted fixes and improvements Roger Pau Monne
2016-02-16 17:37 ` [PATCH v4 1/4] x86/HVM: update the start info structure layout Roger Pau Monne
2016-02-16 19:13 ` Andrew Cooper
2016-02-16 20:06 ` Konrad Rzeszutek Wilk
2016-02-17 10:01 ` Roger Pau Monné
2016-02-16 21:26 ` Boris Ostrovsky
2016-02-17 9:58 ` Jan Beulich
2016-02-17 10:05 ` Roger Pau Monné
2016-02-17 14:39 ` Boris Ostrovsky
2016-02-17 14:54 ` Jan Beulich
2016-02-17 10:45 ` Samuel Thibault
2016-02-17 13:00 ` Jan Beulich
2016-02-16 17:37 ` [PATCH v4 2/4] libxl: introduce LIBXL_VGA_INTERFACE_TYPE_UNKNOWN Roger Pau Monne
2016-02-24 12:08 ` Wei Liu
2016-03-01 16:06 ` Ian Jackson
2016-02-16 17:37 ` [PATCH v4 3/4] libelf: rewrite symtab/strtab loading Roger Pau Monne
2016-02-26 13:15 ` Jan Beulich
2016-02-26 17:02 ` Roger Pau Monné
2016-02-29 9:31 ` Jan Beulich
2016-02-29 10:57 ` Roger Pau Monné
2016-02-29 12:14 ` Jan Beulich
2016-02-29 16:20 ` Roger Pau Monné
2016-02-29 16:41 ` Jan Beulich [this message]
2016-02-16 17:37 ` [PATCH v4 4/4] libxl: fix cd-eject Roger Pau Monne
2016-02-16 17:58 ` Ian Jackson
2016-02-17 11:20 ` Roger Pau Monné
2016-02-17 11:42 ` Ian Campbell
2016-02-17 12:15 ` Ian Jackson
2016-02-17 17:20 ` [PATCH v6] libxl: allow 'phy' backend to use empty files Roger Pau Monne
2016-02-18 10:27 ` Alex Braunegg
2016-02-19 17:30 ` Ian Jackson
2016-02-19 17:41 ` Roger Pau Monné
2016-02-19 18:01 ` [PATCH v7] " Roger Pau Monne
2016-03-01 9:51 ` Roger Pau Monné
2016-03-03 15:41 ` Ian Jackson
2016-03-31 16:20 ` Roger Pau Monné
2016-04-01 14:06 ` Ian Jackson
2016-04-05 16:48 ` [PATCH v6] " George Dunlap
2016-04-05 21:45 ` Alex Braunegg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56D482C902000078000D77AC@prv-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).