[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 11 Jun 2013 17:33:35 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "mattjd@xxxxxxxxx" <mattjd@xxxxxxxxx>, "security@xxxxxxx" <security@xxxxxxx>
Delivery-date: Tue, 11 Jun 2013 16:33:51 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Andrew Cooper writes ("Re: [PATCH 12/22] libelf: Check pointer references in 
elf_is_elfbinary"):
> Ok on the argument regarding the validity of Elf32_Ehdr.
> 
> However, I would then suggest that const Elf32_Ehdr should really be an
> unsigned char e_ident[], and the length check should be against
> EI_NIDENT to avoid giving the false impression that it is validating the
> entire Ehdr.

In offline discussion, we agreed that the best answer was a comment in
libelf.h.  I've also added some text to the commit message about this
question.

commit 7aaaf98a9a53dc80b57f99015f2bc78573177ded
Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date:   Tue Jun 11 17:32:41 2013 +0100

    Add a comment about the limited function of elf_is_elfbinary

diff --git a/.topmsg b/.topmsg
index 8439974..8ed2b2d 100644
--- a/.topmsg
+++ b/.topmsg
@@ -4,11 +4,18 @@ Subject: [PATCH] libelf: Check pointer references in 
elf_is_elfbinary
 elf_is_elfbinary didn't take a length parameter and could potentially
 access out of range when provided with a very short image.
 
+We only need to check the size is enough for the actual dereference in
+elf_is_elfbinary; callers are just using it to check the magic number
+and do their own checks (usually via the new elf_ptrval system) before
+dereferencing other parts of the header.
+
 This is part of the fix to a security issue, XSA-55.
 
 Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
 Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
 Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
 
+v7: Add a comment about the limited function of elf_is_elfbinary.
+
 v2: Style fix.
     Fix commit message subject.
diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
index c54c90b..33e9720 100644
--- a/xen/include/xen/libelf.h
+++ b/xen/include/xen/libelf.h
@@ -349,7 +349,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, 
ELF_HANDLE_DECL(elf_note),
                                 unsigned int unitsz, unsigned int idx);
 ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, 
ELF_HANDLE_DECL(elf_note) note);
 
+/* (Only) checks that the image has the right magic number. */
 int elf_is_elfbinary(const void *image_start, size_t image_size);
+
 int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) 
phdr);
 
 /* ------------------------------------------------------------------------ */

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v6 00/22] XSA55 libelf fixes for unstable
  - From: Ian Jackson
- [Xen-devel] [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH] xen/pci: Deal with toolstack missing an 'XenbusStateClosing'.
Next by Date: Re: [Xen-devel] Xen 4.3 + tmem = Xen BUG at domain_page.c:143
Previous by thread: Re: [Xen-devel] [PATCH 12/22] libelf: Check pointer references in elf_is_elfbinary
Next by thread: [Xen-devel] [PATCH 13/22] libelf: Make all callers call elf_check_broken
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.