From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: [PATCH 07/22] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised Date: Tue, 11 Jun 2013 19:20:50 +0100 Message-ID: <1370974865-19554-8-git-send-email-ian.jackson@eu.citrix.com> References: <1370974865-19554-1-git-send-email-ian.jackson@eu.citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1370974865-19554-1-git-send-email-ian.jackson@eu.citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xensource.com Cc: andrew.cooper3@citrix.com, mattjd@gmail.com, Ian Jackson , security@xen.org List-Id: xen-devel@lists.xenproject.org xc_dom_load_elf_symtab (with load==0) calls elf_round_up, but it mistakenly used the uninitialised variable "syms" when calculating dom->bsd_symtab_start. This should be a reference to "elf". This change might have the effect of rounding the value differently. Previously if the uninitialised value (a single byte on the stack) was ELFCLASS64 (ie, 2), the alignment would be to 8 bytes, otherwise to 4. However, the value is calculated from dom->kernel_seg.vend so this could only make a difference if that value wasn't already aligned to 8 bytes. This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson Acked-by: Ian Campbell Reviewed-by: Andrew Cooper v2: Split this change into its own patch for proper review. --- tools/libxc/xc_dom_elfloader.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c index bc92302..7ff51d1 100644 --- a/tools/libxc/xc_dom_elfloader.c +++ b/tools/libxc/xc_dom_elfloader.c @@ -142,7 +142,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom, hdr = xc_dom_malloc(dom, size); if ( hdr == NULL ) return 0; - dom->bsd_symtab_start = elf_round_up(&syms, dom->kernel_seg.vend); + dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend); } memcpy(hdr + sizeof(int), -- 1.7.2.5