[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 09/16] libelf: check nul-terminated strings properly

Matthew Daley writes ("Re: [PATCH 09/16] libelf: check nul-terminated strings 
> On Tue, Jun 4, 2013 at 3:41 AM, Ian Jackson <ian.jackson@xxxxxxxxxxxxx> wrote:
> > @@ -103,10 +103,13 @@ static int print_notes(struct elf_binary *elf, 
> > ELF_HANDLE_DECL(elf_note) start,
> > -               if (0 != strcmp(elf_note_name(elf, note), "Xen"))
> > +               this_note_name = elf_note_name(elf, note);
> > +               if (NULL == this_note_name ||
> Should be break in this case, not continue, otherwise a invalid large
> elf note section will make the loop run for a long time.

I think the real problem here is the nested loop.  Perhaps we should
impose a smallish limit on the size of strings.

I've taken the view that looping once per byte of the input image is
fine.  But I think I this loop (and others like it) can be made to
loop O(size_of_input_image^2) times.

Changing the continue to break doesn't help because if the attacker
puts a nul byte at the end of their image they get to execute the same
amount of loop.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.