diff options
| author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:43:17 +0100 |
|---|---|---|
| committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:43:17 +0100 |
| commit | d0790bdad7496e720416b2d4a04563c4c27e7b95 (patch) | |
| tree | 90fabf5d585d361440f3c9712dd15c0f40baee18 /tools | |
| parent | cc8761371aac432318530c2ddfe2c8234bc0621f (diff) | |
| download | xen-d0790bdad7496e720416b2d4a04563c4c27e7b95.tar.gz xen-d0790bdad7496e720416b2d4a04563c4c27e7b95.tar.bz2 xen-d0790bdad7496e720416b2d4a04563c4c27e7b95.zip | |
libelf: Check pointer references in elf_is_elfbinary
elf_is_elfbinary didn't take a length parameter and could potentially
access out of range when provided with a very short image.
We only need to check the size is enough for the actual dereference in
elf_is_elfbinary; callers are just using it to check the magic number
and do their own checks (usually via the new elf_ptrval system) before
dereferencing other parts of the header.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/libxc/xc_dom_elfloader.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c index b82a08c3b2..ea458864f0 100644 --- a/tools/libxc/xc_dom_elfloader.c +++ b/tools/libxc/xc_dom_elfloader.c @@ -95,7 +95,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose) return -EINVAL; } - if ( !elf_is_elfbinary(dom->kernel_blob) ) + if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) ) { if ( verbose ) xc_dom_panic(dom->xch, |