[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 23/23] libxc: Better range check in xc_dom_alloc_segment

To: xen-devel@xxxxxxxxxxxxxxxxxxx
From: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date: Thu, 13 Jun 2013 19:18:57 +0100
Cc: andrew.cooper3@xxxxxxxxxx, mattjd@xxxxxxxxx, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, security@xxxxxxx
Delivery-date: Thu, 13 Jun 2013 18:20:12 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

If seg->pfn is too large, the arithmetic in the range check might
overflow, defeating the range check.

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 tools/libxc/xc_dom_core.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index f8d1b08..e79e38d 100644
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -509,7 +509,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom,
     seg->vstart = start;
     seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size;
 
-    if ( pages > dom->total_pages || /* double test avoids overflow probs */
+    if ( pages > dom->total_pages || /* multiple test avoids overflow probs */
+         seg->pfn > dom->total_pages ||
          pages > dom->total_pages - seg->pfn)
     {
         xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
-- 
1.7.2.5


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v8 00/22] XSA55 libelf fixes for Xen 4.2
  - From: Ian Jackson

Prev by Date: [Xen-devel] [PATCH 21/23] libxc: range checks in xc_dom_p2m_host and _guest
Next by Date: [Xen-devel] [PATCH 22/23] libxc: check blob size before proceeding in xc_dom_check_gzip
Previous by thread: [Xen-devel] [PATCH 21/23] libxc: range checks in xc_dom_p2m_host and _guest
Next by thread: [Xen-devel] [PATCH 22/23] libxc: check blob size before proceeding in xc_dom_check_gzip
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.