From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: Re: [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary Date: Tue, 11 Jun 2013 17:33:35 +0100 Message-ID: <20919.20831.463730.747002@mariner.uk.xensource.com> References: <1370629642-6990-1-git-send-email-ian.jackson@eu.citrix.com> <1370629642-6990-13-git-send-email-ian.jackson@eu.citrix.com> <51B65B8D.9070009@citrix.com> <20919.15933.555614.734706@mariner.uk.xensource.com> <51B749B3.5040202@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <51B749B3.5040202@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper Cc: "xen-devel@lists.xensource.com" , "mattjd@gmail.com" , "security@xen.org" List-Id: xen-devel@lists.xenproject.org Andrew Cooper writes ("Re: [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary"): > Ok on the argument regarding the validity of Elf32_Ehdr. > > However, I would then suggest that const Elf32_Ehdr should really be an > unsigned char e_ident[], and the length check should be against > EI_NIDENT to avoid giving the false impression that it is validating the > entire Ehdr. In offline discussion, we agreed that the best answer was a comment in libelf.h. I've also added some text to the commit message about this question. commit 7aaaf98a9a53dc80b57f99015f2bc78573177ded Author: Ian Jackson Date: Tue Jun 11 17:32:41 2013 +0100 Add a comment about the limited function of elf_is_elfbinary diff --git a/.topmsg b/.topmsg index 8439974..8ed2b2d 100644 --- a/.topmsg +++ b/.topmsg @@ -4,11 +4,18 @@ Subject: [PATCH] libelf: Check pointer references in elf_is_elfbinary elf_is_elfbinary didn't take a length parameter and could potentially access out of range when provided with a very short image. +We only need to check the size is enough for the actual dereference in +elf_is_elfbinary; callers are just using it to check the magic number +and do their own checks (usually via the new elf_ptrval system) before +dereferencing other parts of the header. + This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson Acked-by: Ian Campbell Reviewed-by: Konrad Rzeszutek Wilk +v7: Add a comment about the limited function of elf_is_elfbinary. + v2: Style fix. Fix commit message subject. diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h index c54c90b..33e9720 100644 --- a/xen/include/xen/libelf.h +++ b/xen/include/xen/libelf.h @@ -349,7 +349,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note), unsigned int unitsz, unsigned int idx); ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); +/* (Only) checks that the image has the right magic number. */ int elf_is_elfbinary(const void *image_start, size_t image_size); + int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr); /* ------------------------------------------------------------------------ */