ia64/xen-unstable

changeset 10126:14717dedba02

[LOADER] More sanity checks when parsing Elf images to avoid
out-of-bounds array accesses when loading the image.
Signed-off-by: Keir Fraser <keir@xensource.com>
author kaf24@firebug.cl.cam.ac.uk
date Sun May 21 20:15:58 2006 +0100 (2006-05-21)
parents 0f16f0871dc9
children 49bb240a05ee
files tools/libxc/xc_load_elf.c xen/common/elf.c
line diff
     1.1 --- a/tools/libxc/xc_load_elf.c	Sun May 21 19:05:31 2006 +0100
     1.2 +++ b/tools/libxc/xc_load_elf.c	Sun May 21 20:15:58 2006 +0100
     1.3 @@ -158,12 +158,17 @@ static int parseelfimage(const char *ima
     1.4      elf_pa_off_defined = (p != NULL);
     1.5      elf_pa_off = elf_pa_off_defined ? strtoul(p+17, &p, 0) : virt_base;
     1.6  
     1.7 +    if ( elf_pa_off_defined && !virt_base_defined )
     1.8 +        goto bad_image;
     1.9 +
    1.10      for ( h = 0; h < ehdr->e_phnum; h++ )
    1.11      {
    1.12          phdr = (Elf_Phdr *)(image + ehdr->e_phoff + (h*ehdr->e_phentsize));
    1.13          if ( !is_loadable_phdr(phdr) )
    1.14              continue;
    1.15          vaddr = phdr->p_paddr - elf_pa_off + virt_base;
    1.16 +        if ( (vaddr + phdr->p_memsz) < vaddr )
    1.17 +            goto bad_image;
    1.18          if ( vaddr < kernstart )
    1.19              kernstart = vaddr;
    1.20          if ( (vaddr + phdr->p_memsz) > kernend )
    1.21 @@ -184,11 +189,9 @@ static int parseelfimage(const char *ima
    1.22  
    1.23      if ( (kernstart > kernend) ||
    1.24           (dsi->v_kernentry < kernstart) ||
    1.25 -         (dsi->v_kernentry > kernend) )
    1.26 -    {
    1.27 -        ERROR("Malformed ELF image.");
    1.28 -        return -EINVAL;
    1.29 -    }
    1.30 +         (dsi->v_kernentry > kernend) ||
    1.31 +         (dsi->v_start > kernstart) )
    1.32 +        goto bad_image;
    1.33  
    1.34      if ( (p = strstr(guestinfo, "BSD_SYMTAB")) != NULL )
    1.35          dsi->load_symtab = 1;
    1.36 @@ -200,6 +203,10 @@ static int parseelfimage(const char *ima
    1.37      loadelfsymtab(image, 0, 0, NULL, dsi);
    1.38  
    1.39      return 0;
    1.40 +
    1.41 + bad_image:
    1.42 +    ERROR("Malformed ELF image.");
    1.43 +    return -EINVAL;
    1.44  }
    1.45  
    1.46  static int
     2.1 --- a/xen/common/elf.c	Sun May 21 19:05:31 2006 +0100
     2.2 +++ b/xen/common/elf.c	Sun May 21 20:15:58 2006 +0100
     2.3 @@ -94,12 +94,17 @@ int parseelfimage(struct domain_setup_in
     2.4      elf_pa_off_defined = (p != NULL);
     2.5      elf_pa_off = elf_pa_off_defined ? simple_strtoul(p+17, &p, 0) : virt_base;
     2.6  
     2.7 +    if ( elf_pa_off_defined && !virt_base_defined )
     2.8 +        goto bad_image;
     2.9 +
    2.10      for ( h = 0; h < ehdr->e_phnum; h++ )
    2.11      {
    2.12          phdr = (Elf_Phdr *)(elfbase + ehdr->e_phoff + (h*ehdr->e_phentsize));
    2.13          if ( !is_loadable_phdr(phdr) )
    2.14              continue;
    2.15          vaddr = phdr->p_paddr - elf_pa_off + virt_base;
    2.16 +        if ( (vaddr + phdr->p_memsz) < vaddr )
    2.17 +            goto bad_image;
    2.18          if ( vaddr < kernstart )
    2.19              kernstart = vaddr;
    2.20          if ( (vaddr + phdr->p_memsz) > kernend )
    2.21 @@ -120,11 +125,9 @@ int parseelfimage(struct domain_setup_in
    2.22  
    2.23      if ( (kernstart > kernend) || 
    2.24           (dsi->v_kernentry < kernstart) ||
    2.25 -         (dsi->v_kernentry > kernend) )
    2.26 -    {
    2.27 -        printk("Malformed ELF image.\n");
    2.28 -        return -EINVAL;
    2.29 -    }
    2.30 +         (dsi->v_kernentry > kernend) ||
    2.31 +         (dsi->v_start > kernstart) )
    2.32 +        goto bad_image;
    2.33  
    2.34      if ( (p = strstr(guestinfo, "BSD_SYMTAB")) != NULL )
    2.35              dsi->load_symtab = 1;
    2.36 @@ -136,6 +139,10 @@ int parseelfimage(struct domain_setup_in
    2.37      loadelfsymtab(dsi, 0);
    2.38  
    2.39      return 0;
    2.40 +
    2.41 + bad_image:
    2.42 +    printk("Malformed ELF image.\n");
    2.43 +    return -EINVAL;
    2.44  }
    2.45  
    2.46  int loadelfimage(struct domain_setup_info *dsi)