[PATCH 1/3] kexec elf: Sanity check on the note header before accessing it

[PATCH 1/3] kexec elf: Sanity check on the note header before accessing it

[Sylvain Munaut]

The name[hdr.n_namesz -1] check below can segfault if the header
is garbage. So we check the computed header side fits within
the expected area before going further.

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 kexec/kexec-elf.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kexec/kexec-elf.c b/kexec/kexec-elf.c
index 3515203..1d6320a 100644
--- a/kexec/kexec-elf.c
+++ b/kexec/kexec-elf.c
@@ -720,6 +720,14 @@ static int build_mem_notes(struct mem_ehdr *ehdr)
 		desc       = note + note_size;
 		note_size += _ALIGN(hdr.n_descsz, 4);
 
+		if (((note+note_size) > note_end) ||
+		    ((note+note_size) < note_start)) {
+			/* Something is very wrong here ! Most likely the note
+			 * header is invalid */
+			fprintf(stderr, "ELF Note corrupted !\n");
+			return -1;
+		}
+
 		if ((hdr.n_namesz != 0) && (name[hdr.n_namesz -1] != '\0')) {
 			/* If note name string is not null terminated, just
 			 * warn user about it and continue processing. This
-- 
2.1.4


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

[PATCH 2/3] multiboot: Fix length computation for the memory zones

[Sylvain Munaut]

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 kexec/arch/i386/kexec-multiboot-x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kexec/arch/i386/kexec-multiboot-x86.c b/kexec/arch/i386/kexec-multiboot-x86.c
index 0dbac70..4de237c 100644
--- a/kexec/arch/i386/kexec-multiboot-x86.c
+++ b/kexec/arch/i386/kexec-multiboot-x86.c
@@ -252,7 +252,7 @@ int multiboot_x86_load(int argc, char **argv, const char *buf, off_t len,
 	mmap = xmalloc(ranges * sizeof(*mmap));
 	for (i=0; i<ranges; i++) {
 		unsigned long long length;
-		length = range[i].end - range[i].start;
+		length = range[i].end - range[i].start + 1;
 		/* Translate bzImage mmap to multiboot-speak */
 		mmap[i].size = sizeof(mmap[i]) - 4;
 		mmap[i].base_addr_low  = range[i].start & 0xffffffff;
-- 
2.1.4


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

[PATCH 3/3] multiboot: Use the "reserved" type for non-ram zones

[Sylvain Munaut]

Seems that Xen actually checks for some zones to be 'reserved' and
complains if they are not.

This also matches what the bios uses at boot.

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 kexec/arch/i386/kexec-multiboot-x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kexec/arch/i386/kexec-multiboot-x86.c b/kexec/arch/i386/kexec-multiboot-x86.c
index 4de237c..69027e2 100644
--- a/kexec/arch/i386/kexec-multiboot-x86.c
+++ b/kexec/arch/i386/kexec-multiboot-x86.c
@@ -278,7 +278,7 @@ int multiboot_x86_load(int argc, char **argv, const char *buf, off_t len,
 			    && (range[i].end > mem_upper + 0x100000))
 				mem_upper = range[i].end - 0x100000;
 		} else {
-			mmap[i].Type = 0xbad;  /* Not RAM */
+			mmap[i].Type = 2;  /* Not RAM (reserved) */
 		}
 	}
 
-- 
2.1.4


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH 1/3] kexec elf: Sanity check on the note header before accessing it

[Simon Horman]

On Fri, Aug 26, 2016 at 12:46:14PM +0000, Sylvain Munaut wrote:
> The name[hdr.n_namesz -1] check below can segfault if the header
> is garbage. So we check the computed header side fits within
> the expected area before going further.
> 
> Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>

Thanks, I have applied this and the other two patches in this series.

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec