[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 18/22] libxc: Add range checking to xc_dom_binloader

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 11 Jun 2013 15:46:03 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "mattjd@xxxxxxxxx" <mattjd@xxxxxxxxx>, "security@xxxxxxx" <security@xxxxxxx>
Delivery-date: Tue, 11 Jun 2013 14:46:19 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Andrew Cooper writes ("Re: [PATCH 18/22] libxc: Add range checking to 
xc_dom_binloader"):
> On 07/06/13 19:27, Ian Jackson wrote:
> > @@ -123,9 +123,12 @@ static struct xen_bin_image_table *find_table(struct 
> > xc_dom_image *dom)
> >      uint32_t *probe_ptr;
> >      uint32_t *probe_end;
> >  
> > +    if ( dom->kernel_size < sizeof(*table) )
> > +        return NULL;
> >      probe_ptr = dom->kernel_blob;
> >      probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
> > -    if ( (void*)probe_end > (dom->kernel_blob + 8192) )
> > +    if ( dom->kernel_size >= 8192 &&
> > +         (void*)probe_end > (dom->kernel_blob + 8192) )
> >          probe_end = dom->kernel_blob + 8192;
> 
> More void pointer arithmetic.

As discussed I intend to leave that alone.  It has defined (and the
desired) behaviour.

> If I am reading the above correctly, it appears to be a glorified
> 
> probe_end = dom->kernel_blob + (uintptr_t)min(dom->kernel_size -
> sizeof(*table), 8192);
> 
> which looks to be a more simple representation?

Surely I shouldn't be changing this unnecessarily ?

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v6 00/22] XSA55 libelf fixes for unstable
  - From: Ian Jackson
- [Xen-devel] [PATCH 18/22] libxc: Add range checking to xc_dom_binloader
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH 18/22] libxc: Add range checking to xc_dom_binloader
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH 19/22] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
Next by Date: Re: [Xen-devel] Xen 4.3 + tmem = Xen BUG at domain_page.c:143
Previous by thread: Re: [Xen-devel] [PATCH 18/22] libxc: Add range checking to xc_dom_binloader
Next by thread: [Xen-devel] [PATCH 17/22] libelf: abolish obsolete macros
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.