[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 20/22] libxc: check return values from malloc

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 11 Jun 2013 15:31:21 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "mattjd@xxxxxxxxx" <mattjd@xxxxxxxxx>, "security@xxxxxxx" <security@xxxxxxx>
Delivery-date: Tue, 11 Jun 2013 14:31:36 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Andrew Cooper writes ("Re: [PATCH 20/22] libxc: check return values from 
malloc"):
> On 07/06/13 19:27, Ian Jackson wrote:
> > A sufficiently malformed input to libxc (such as a malformed input ELF
> > or other guest-controlled data) might cause one of libxc's malloc() to
> > fail.  In this case we need to make sure we don't dereference or do
> > pointer arithmetic on the result.
...
> > @@ -709,12 +718,14 @@ int xc_cpuid_check(
...
> The function xc_cpuid_set() in this file also has an unchecked
> invocation of alloc_str()

Yes.

> > diff --git a/tools/libxc/xc_dom_arm.c b/tools/libxc/xc_dom_arm.c
> > index aaf35ca..df59ffb 100644
> > --- a/tools/libxc/xc_dom_arm.c
> > +++ b/tools/libxc/xc_dom_arm.c
> > @@ -170,6 +170,8 @@ int arch_setup_meminit(struct xc_dom_image *dom)
> >      dom->shadow_enabled = 1;
> >  
> >      dom->p2m_host = xc_dom_malloc(dom, sizeof(xen_pfn_t) * 
> > dom->total_pages);
> > +    if ( dom->p2m_host == NULL )
> > +        return -EINVAL;
> 
> dom0->total_pages is, as best as I can tell, unvalidated thusfar into
> libxc, so is a likely candidate for overflowing.

dom->total_pages is set in xc_dom_mem_init from the mem_mb parameter
dom->which comes from the calling toolstack, and ultimately from the
domain configuration.

Do we think we need to defend against malicious mem_mb values ?

> > diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
> > index 21a8e0d..2a9c5a2 100644
> > --- a/tools/libxc/xc_dom_core.c
> > +++ b/tools/libxc/xc_dom_core.c
> > @@ -122,7 +122,10 @@ void *xc_dom_malloc(struct xc_dom_image *dom, size_t 
> > size)
> >  
> >      block = malloc(sizeof(*block) + size);
> 
> size is essentially arbitrary at this point.  Perhaps worth checking for
> overflow?

Yes.

> >      block = malloc(sizeof(*block));
> > -    if ( block == NULL )
> > +    if ( block == NULL ) {
> 
> As per before, style.

Will fix.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v6 00/22] XSA55 libelf fixes for unstable
  - From: Ian Jackson
- [Xen-devel] [PATCH 20/22] libxc: check return values from malloc
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH 20/22] libxc: check return values from malloc
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [ARM] Bash often segfaults in Dom0 with the latest Xen
Next by Date: Re: [Xen-devel] [PATCH] xen: fix initialization of wallclock time for PVHVM on migration
Previous by thread: Re: [Xen-devel] [PATCH 20/22] libxc: check return values from malloc
Next by thread: [Xen-devel] [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.