Xen project Mailing List

Re: [Xen-devel] [PATCH 19/21] DRAFT libxc: check return values from malloc

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>, <mattjd@xxxxxxxxx>, <security@xxxxxxx>, <andrew.cooper3@xxxxxxxxxx>

From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

Date: Thu, 13 Jun 2013 16:53:04 +0100

Delivery-date: Thu, 13 Jun 2013 15:53:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Ian Jackson writes ("[PATCH 19/21] DRAFT libxc: check return values from malloc"): > *** DRAFT ONLY *** > This is a direct backport of the 4.2 patch. I have not rerun the > search yet, and need to do so. I have finished this grep and found one that additional obvious change was needed. I will include this in v8 of my 4.1 backports. Ian. commit 0ed45ae28bf70cee5400ce8251577d264880489d Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Date: Thu Jun 13 16:52:48 2013 +0100 xc_flask_access diff --git a/.topmsg b/.topmsg index 988c545..6c3ca79 100644 --- a/.topmsg +++ b/.topmsg @@ -1,11 +1,5 @@ From: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> -Subject: DRAFT libxc: check return values from malloc - - -*** DRAFT ONLY *** -This is a direct backport of the 4.2 patch. I have not rerun the -search yet, and need to do so. - +Subject: libxc: check return values from malloc A sufficiently malformed input to libxc (such as a malformed input ELF or other guest-controlled data) might cause one of libxc's malloc() to @@ -28,6 +22,9 @@ Changes in the Xen 4.2 version of this series: * No need to fix code relating to superpage support. * Additionally fix `dom->p2m_host = xc_dom_malloc...' in xc_dom_ia64.c. +Changes in the Xen 4.1 version of this series: +* An additional check is needed in xc_flask.c:xc_flask_access. + This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c index 27794a8..78c243c 100644 --- a/tools/libxc/xc_flask.c +++ b/tools/libxc/xc_flask.c @@ -284,6 +284,8 @@ int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon, MAX_SHORT_DEC_LEN + 1 + sizeof(req)*2 + 1; buf = malloc(bufLen); + if ( buf == NULL ) + return -ENOMEM; snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req); op.cmd = FLASK_ACCESS; _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.