From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: Re: [PATCH 15/22] libelf: use only unsigned integers Date: Tue, 11 Jun 2013 14:16:01 +0100 Message-ID: <20919.8977.156809.394467@mariner.uk.xensource.com> References: <1370629642-6990-1-git-send-email-ian.jackson@eu.citrix.com> <1370629642-6990-16-git-send-email-ian.jackson@eu.citrix.com> <51B61AD5.4030908@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <51B61AD5.4030908@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper Cc: "xen-devel@lists.xensource.com" , "mattjd@gmail.com" , "security@xen.org" List-Id: xen-devel@lists.xenproject.org Andrew Cooper writes ("Re: [PATCH 15/22] libelf: use only unsigned integers"): > On 07/06/13 19:27, Ian Jackson wrote: > > ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note) > > { > > - int namesz = (elf_uval(elf, note, namesz) + 3) & ~3; > > + unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3; > > Here and elsewhere in this patch: > > namesz is a guest-provided parameter. If it is sufficiently high, > namesz + 3 will overflow and end up being 0 after the rounding. > > The result of this function would then falsely be elf_note_name() instead. Yes, but I don't understand why it's a security problem. If a guest-provided kernel is corrupted then the guest should get to keep all the resulting pieces. Ian.