diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:36 +0100 |
commit | 943de71cf07d9d04ccb215bd46153b04930e9f25 (patch) | |
tree | 0a2ac34b2bf39b2b4185ef398ee5471c73370540 /tools | |
parent | 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 (diff) | |
download | xen-943de71cf07d9d04ccb215bd46153b04930e9f25.tar.gz xen-943de71cf07d9d04ccb215bd46153b04930e9f25.tar.bz2 xen-943de71cf07d9d04ccb215bd46153b04930e9f25.zip |
libelf: Check pointer references in elf_is_elfbinary
elf_is_elfbinary didn't take a length parameter and could potentially
access out of range when provided with a very short image.
We only need to check the size is enough for the actual dereference in
elf_is_elfbinary; callers are just using it to check the magic number
and do their own checks (usually via the new elf_ptrval system) before
dereferencing other parts of the header.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v7: Add a comment about the limited function of elf_is_elfbinary.
v2: Style fix.
Fix commit message subject.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/libxc/xc_dom_elfloader.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c index c038d1c002..f14b053186 100644 --- a/tools/libxc/xc_dom_elfloader.c +++ b/tools/libxc/xc_dom_elfloader.c @@ -93,7 +93,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose) return -EINVAL; } - if ( !elf_is_elfbinary(dom->kernel_blob) ) + if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) ) { if ( verbose ) xc_dom_panic(dom->xch, |