[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4] xen/tools: Introduce QNX IFS loader



On Fri, Sep 26, 2014 at 7:35 PM, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> wrote:
> Oleksandr Tyshchenko writes ("Re: [PATCH v4] xen/tools: Introduce QNX IFS 
> loader"):
>> On Fri, Sep 26, 2014 at 5:37 PM, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> 
>> wrote:
>> > Suppose that the incoming image is corrupt or malicious and
>> > startup_header.startup_size and dom->kernel_size are both equal to
>> > sizeof(startup_header)+1.
> ...
>> ok. Maybe, do you mean that (stored_size == kernel_size) instead of
>> (startup_size == kernel_size)?
>
> You are right that I had failed to properly analyse the condition on
> startup_size and stored_size.  I guess that just goes to show how hard
> this is.
>
> But I think there is still an attack.  Consider:
>   startup_size == 3;
>   stored_size == kernel_size == sizeof(startup_header);
>
> Then the first calc_checksum gets 3 as a size argument and loops
> forever scanning memory until it crashes.
agree

>
> Ian.



-- 

Oleksandr Tyshchenko | Embedded Dev
GlobalLogic
www.globallogic.com

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.