[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 15/22] libelf: use only unsigned integers

Andrew Cooper writes ("Re: [PATCH 15/22] libelf: use only unsigned integers"):
> On 07/06/13 19:27, Ian Jackson wrote:
> >  ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, 
> > ELF_HANDLE_DECL(elf_note) note)
> >  {
> > -    int namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
> > +    unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
> 
> Here and elsewhere in this patch:
> 
> namesz is a guest-provided parameter.  If it is sufficiently high,
> namesz + 3 will overflow and end up being 0 after the rounding.
> 
> The result of this function would then falsely be elf_note_name() instead.

Yes, but I don't understand why it's a security problem.  If a
guest-provided kernel is corrupted then the guest should get to keep
all the resulting pieces.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.