minix/pkgsrc-ng
1
0
Fork 0
mirror of https://github.com/Stichting-MINIX-Research-Foundation/pkgsrc-ng.git synced 2025-08-03 09:48:00 -04:00
Code Issues Packages Projects Releases Wiki Activity
pkgsrc-ng/sysutils/xentools33/patches/patch-CVE-2011-1583
Lionel Sambuc 785076ae39 Import of pkgsrc-2013Q2
2013-09-26 17:14:40 +02:00

85 lines
2.6 KiB
Plaintext
Raw Blame History

$NetBSD: patch-CVE-2011-1583,v 1.1 2011/05/12 15:39:05 bouyer Exp $
from http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00491.html
# HG changeset patch
# Parent 11931301845c3b4b6a358f2d7246874b1d10c05f
diff -r 11931301845c libxc/xc_dom_bzimageloader.c
--- libxc/xc_dom_bzimageloader.c Mon Mar 14 16:59:49 2011 +0000
+++ libxc/xc_dom_bzimageloader.c Tue May 03 10:09:28 2011 +0100
@@ -61,18 +61,18 @@
extern struct xc_dom_loader elf_loader;
-static unsigned int payload_offset(struct setup_header *hdr)
+static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
{
- unsigned int off;
+ if (len > dom->kernel_size)
+ return 0;
- off = (hdr->setup_sects + 1) * 512;
- off += hdr->payload_offset;
- return off;
+ return (memcmp(dom->kernel_blob, magic, len) == 0);
}
static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
{
struct setup_header *hdr;
+ uint64_t payload_offset, payload_length;
if ( dom->kernel_blob == NULL )
{
@@ -107,14 +107,43 @@
return -EINVAL;
}
- dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
- dom->kernel_size = hdr->payload_length;
- if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+ /* upcast to 64 bits to avoid overflow */
+ /* setup_sects is u8 and so cannot overflow */
+ payload_offset = (hdr->setup_sects + 1) * 512;
+ payload_offset += hdr->payload_offset;
+ payload_length = hdr->payload_length;
+
+ if ( payload_offset >= dom->kernel_size )
{
- if ( verbose )
- xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
- __FUNCTION__);
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ if ( (payload_offset + payload_length) > dom->kernel_size )
+ {
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+
+ dom->kernel_blob = dom->kernel_blob + payload_offset;
+ dom->kernel_size = payload_length;
+
+ if ( check_magic(dom, "\037\213", 2) )
+ {
+ if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+ {
+ if ( verbose )
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
+ __FUNCTION__);
+ return -EINVAL;
+ }
+ }
+ else
+ {
+ xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
+ __FUNCTION__);
return -EINVAL;
}
Reference in New Issue View Git Blame Copy Permalink