[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary

Andrew Cooper writes ("Re: [PATCH 12/22] libelf: Check pointer references in 
> Ok on the argument regarding the validity of Elf32_Ehdr.
> However, I would then suggest that const Elf32_Ehdr should really be an
> unsigned char e_ident[], and the length check should be against
> EI_NIDENT to avoid giving the false impression that it is validating the
> entire Ehdr.

In offline discussion, we agreed that the best answer was a comment in
libelf.h.  I've also added some text to the commit message about this

commit 7aaaf98a9a53dc80b57f99015f2bc78573177ded
Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date:   Tue Jun 11 17:32:41 2013 +0100

    Add a comment about the limited function of elf_is_elfbinary

diff --git a/.topmsg b/.topmsg
index 8439974..8ed2b2d 100644
--- a/.topmsg
+++ b/.topmsg
@@ -4,11 +4,18 @@ Subject: [PATCH] libelf: Check pointer references in 
 elf_is_elfbinary didn't take a length parameter and could potentially
 access out of range when provided with a very short image.
+We only need to check the size is enough for the actual dereference in
+elf_is_elfbinary; callers are just using it to check the magic number
+and do their own checks (usually via the new elf_ptrval system) before
+dereferencing other parts of the header.
 This is part of the fix to a security issue, XSA-55.
 Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
 Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
 Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
+v7: Add a comment about the limited function of elf_is_elfbinary.
 v2: Style fix.
     Fix commit message subject.
diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
index c54c90b..33e9720 100644
--- a/xen/include/xen/libelf.h
+++ b/xen/include/xen/libelf.h
@@ -349,7 +349,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, 
                                 unsigned int unitsz, unsigned int idx);
 ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, 
ELF_HANDLE_DECL(elf_note) note);
+/* (Only) checks that the image has the right magic number. */
 int elf_is_elfbinary(const void *image_start, size_t image_size);
 int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) 
 /* ------------------------------------------------------------------------ */

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.