[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 20/22] libxc: check return values from malloc



Andrew Cooper writes ("Re: [PATCH 20/22] libxc: check return values from 
malloc"):
> On 07/06/13 19:27, Ian Jackson wrote:
> > A sufficiently malformed input to libxc (such as a malformed input ELF
> > or other guest-controlled data) might cause one of libxc's malloc() to
> > fail.  In this case we need to make sure we don't dereference or do
> > pointer arithmetic on the result.
...
> > @@ -709,12 +718,14 @@ int xc_cpuid_check(
...
> The function xc_cpuid_set() in this file also has an unchecked
> invocation of alloc_str()

Yes.

> > diff --git a/tools/libxc/xc_dom_arm.c b/tools/libxc/xc_dom_arm.c
> > index aaf35ca..df59ffb 100644
> > --- a/tools/libxc/xc_dom_arm.c
> > +++ b/tools/libxc/xc_dom_arm.c
> > @@ -170,6 +170,8 @@ int arch_setup_meminit(struct xc_dom_image *dom)
> >      dom->shadow_enabled = 1;
> >  
> >      dom->p2m_host = xc_dom_malloc(dom, sizeof(xen_pfn_t) * 
> > dom->total_pages);
> > +    if ( dom->p2m_host == NULL )
> > +        return -EINVAL;
> 
> dom0->total_pages is, as best as I can tell, unvalidated thusfar into
> libxc, so is a likely candidate for overflowing.

dom->total_pages is set in xc_dom_mem_init from the mem_mb parameter
dom->which comes from the calling toolstack, and ultimately from the
domain configuration.

Do we think we need to defend against malicious mem_mb values ?

> > diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
> > index 21a8e0d..2a9c5a2 100644
> > --- a/tools/libxc/xc_dom_core.c
> > +++ b/tools/libxc/xc_dom_core.c
> > @@ -122,7 +122,10 @@ void *xc_dom_malloc(struct xc_dom_image *dom, size_t 
> > size)
> >  
> >      block = malloc(sizeof(*block) + size);
> 
> size is essentially arbitrary at this point.  Perhaps worth checking for
> overflow?

Yes.

> >      block = malloc(sizeof(*block));
> > -    if ( block == NULL )
> > +    if ( block == NULL ) {
> 
> As per before, style.

Will fix.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.