4c73609012
22998-x86-get_page_from_l1e-retcode.patch 22999-x86-mod_l1_entry-retcode.patch 23000-x86-mod_l2_entry-retcode.patch 23096-x86-hpet-no-cpumask_lock.patch 23099-x86-rwlock-scalability.patch 23103-x86-pirq-guest-eoi-check.patch 23127-vtd-bios-settings.patch 23153-x86-amd-clear-DramModEn.patch 23154-x86-amd-iorr-no-rdwr.patch 23199-amd-iommu-unmapped-intr-fault.patch 23200-amd-iommu-intremap-sync.patch 23228-x86-conditional-write_tsc.patch - update xenalyze to revision 98 * Unify setting of vcpu data type * Unify record size checks * Fix cr3_switch not to access hvm struct before it's initialized - add xenalyze.gcc46.patch to fix unused-but-set-variable errors - bnc#688473 - VUL-0: potential buffer overflow in tools cve-2011-1583-4.0.patch - hotplug.losetup.patch correct dev:inode detection and use variable expansion OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=115
218 lines
6.8 KiB
Diff
218 lines
6.8 KiB
Diff
diff -r dbf2ddf652dc tools/libxc/xc_dom_bzimageloader.c
|
|
--- a/tools/libxc/xc_dom_bzimageloader.c Thu Apr 07 15:26:58 2011 +0100
|
|
+++ b/tools/libxc/xc_dom_bzimageloader.c Thu Apr 21 12:05:57 2011 +0100
|
|
@@ -82,8 +82,29 @@ static int xc_try_bzip2_decode(
|
|
for ( ; ; )
|
|
{
|
|
ret = BZ2_bzDecompress(&stream);
|
|
- if ( (stream.avail_out == 0) || (ret != BZ_OK) )
|
|
+ if ( ret == BZ_STREAM_END )
|
|
{
|
|
+ DOMPRINTF("BZIP2: Saw data stream end");
|
|
+ retval = 0;
|
|
+ break;
|
|
+ }
|
|
+ if ( ret != BZ_OK )
|
|
+ {
|
|
+ DOMPRINTF("BZIP2: error %d", ret);
|
|
+ free(out_buf);
|
|
+ goto bzip2_cleanup;
|
|
+ }
|
|
+
|
|
+ if ( stream.avail_out == 0 )
|
|
+ {
|
|
+ /* Protect against output buffer overflow */
|
|
+ if ( outsize > INT_MAX / 2 )
|
|
+ {
|
|
+ DOMPRINTF("BZIP2: output buffer overflow");
|
|
+ free(out_buf);
|
|
+ goto bzip2_cleanup;
|
|
+ }
|
|
+
|
|
tmp_buf = realloc(out_buf, outsize * 2);
|
|
if ( tmp_buf == NULL )
|
|
{
|
|
@@ -97,16 +118,18 @@ static int xc_try_bzip2_decode(
|
|
stream.avail_out = (outsize * 2) - outsize;
|
|
outsize *= 2;
|
|
}
|
|
-
|
|
- if ( ret != BZ_OK )
|
|
+ else if ( stream.avail_in == 0 )
|
|
{
|
|
- if ( ret == BZ_STREAM_END )
|
|
- {
|
|
- DOMPRINTF("BZIP2: Saw data stream end");
|
|
- retval = 0;
|
|
- break;
|
|
- }
|
|
- DOMPRINTF("BZIP2: error");
|
|
+ /*
|
|
+ * If there is output buffer available then this indicates
|
|
+ * that BZ2_bzDecompress would like more input data to be
|
|
+ * provided. However our complete input buffer is in
|
|
+ * memory and provided upfront so if avail_in is zero this
|
|
+ * actually indicates a truncated input.
|
|
+ */
|
|
+ DOMPRINTF("BZIP2: not enough input");
|
|
+ free(out_buf);
|
|
+ goto bzip2_cleanup;
|
|
}
|
|
}
|
|
|
|
@@ -180,31 +203,14 @@ static int xc_try_lzma_decode(
|
|
for ( ; ; )
|
|
{
|
|
ret = lzma_code(&stream, action);
|
|
- if ( (stream.avail_out == 0) || (ret != LZMA_OK) )
|
|
+ if ( ret == LZMA_STREAM_END )
|
|
{
|
|
- tmp_buf = realloc(out_buf, outsize * 2);
|
|
- if ( tmp_buf == NULL )
|
|
- {
|
|
- DOMPRINTF("LZMA: Failed to realloc memory");
|
|
- free(out_buf);
|
|
- goto lzma_cleanup;
|
|
- }
|
|
- out_buf = tmp_buf;
|
|
-
|
|
- stream.next_out = out_buf + outsize;
|
|
- stream.avail_out = (outsize * 2) - outsize;
|
|
- outsize *= 2;
|
|
+ DOMPRINTF("LZMA: Saw data stream end");
|
|
+ retval = 0;
|
|
+ break;
|
|
}
|
|
-
|
|
if ( ret != LZMA_OK )
|
|
{
|
|
- if ( ret == LZMA_STREAM_END )
|
|
- {
|
|
- DOMPRINTF("LZMA: Saw data stream end");
|
|
- retval = 0;
|
|
- break;
|
|
- }
|
|
-
|
|
switch ( ret )
|
|
{
|
|
case LZMA_MEM_ERROR:
|
|
@@ -238,7 +244,32 @@ static int xc_try_lzma_decode(
|
|
}
|
|
DOMPRINTF("%s: LZMA decompression error %s",
|
|
__FUNCTION__, msg);
|
|
- break;
|
|
+ free(out_buf);
|
|
+ goto lzma_cleanup;
|
|
+ }
|
|
+
|
|
+ if ( stream.avail_out == 0 )
|
|
+ {
|
|
+ /* Protect against output buffer overflow */
|
|
+ if ( outsize > INT_MAX / 2 )
|
|
+ {
|
|
+ DOMPRINTF("LZMA: output buffer overflow");
|
|
+ free(out_buf);
|
|
+ goto lzma_cleanup;
|
|
+ }
|
|
+
|
|
+ tmp_buf = realloc(out_buf, outsize * 2);
|
|
+ if ( tmp_buf == NULL )
|
|
+ {
|
|
+ DOMPRINTF("LZMA: Failed to realloc memory");
|
|
+ free(out_buf);
|
|
+ goto lzma_cleanup;
|
|
+ }
|
|
+ out_buf = tmp_buf;
|
|
+
|
|
+ stream.next_out = out_buf + outsize;
|
|
+ stream.avail_out = (outsize * 2) - outsize;
|
|
+ outsize *= 2;
|
|
}
|
|
}
|
|
|
|
@@ -489,18 +520,18 @@ struct setup_header {
|
|
|
|
extern struct xc_dom_loader elf_loader;
|
|
|
|
-static unsigned int payload_offset(struct setup_header *hdr)
|
|
+static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
|
|
{
|
|
- unsigned int off;
|
|
+ if (len > dom->kernel_size)
|
|
+ return 0;
|
|
|
|
- off = (hdr->setup_sects + 1) * 512;
|
|
- off += hdr->payload_offset;
|
|
- return off;
|
|
+ return (memcmp(dom->kernel_blob, magic, len) == 0);
|
|
}
|
|
|
|
static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
|
|
{
|
|
struct setup_header *hdr;
|
|
+ uint64_t payload_offset, payload_length;
|
|
int ret;
|
|
|
|
if ( dom->kernel_blob == NULL )
|
|
@@ -533,10 +564,30 @@ static int xc_dom_probe_bzimage_kernel(s
|
|
return -EINVAL;
|
|
}
|
|
|
|
- dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
|
|
- dom->kernel_size = hdr->payload_length;
|
|
|
|
- if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
|
|
+ /* upcast to 64 bits to avoid overflow */
|
|
+ /* setup_sects is u8 and so cannot overflow */
|
|
+ payload_offset = (hdr->setup_sects + 1) * 512;
|
|
+ payload_offset += hdr->payload_offset;
|
|
+ payload_length = hdr->payload_length;
|
|
+
|
|
+ if ( payload_offset >= dom->kernel_size )
|
|
+ {
|
|
+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: payload offset overflow",
|
|
+ __FUNCTION__);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ if ( (payload_offset + payload_length) > dom->kernel_size )
|
|
+ {
|
|
+ xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: payload length overflow",
|
|
+ __FUNCTION__);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
+ dom->kernel_blob = dom->kernel_blob + payload_offset;
|
|
+ dom->kernel_size = payload_length;
|
|
+
|
|
+ if ( check_magic(dom, "\037\213", 2) )
|
|
{
|
|
ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
|
|
if ( ret == -1 )
|
|
@@ -546,7 +597,7 @@ static int xc_dom_probe_bzimage_kernel(s
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
- else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
|
|
+ else if ( check_magic(dom, "\102\132\150", 3) )
|
|
{
|
|
ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);
|
|
if ( ret < 0 )
|
|
@@ -557,7 +608,7 @@ static int xc_dom_probe_bzimage_kernel(s
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
- else if ( memcmp(dom->kernel_blob, "\135\000", 2) == 0 )
|
|
+ else if ( check_magic(dom, "\135\000", 2) )
|
|
{
|
|
ret = xc_try_lzma_decode(dom, &dom->kernel_blob, &dom->kernel_size);
|
|
if ( ret < 0 )
|
|
@@ -568,7 +619,7 @@ static int xc_dom_probe_bzimage_kernel(s
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
- else if ( memcmp(dom->kernel_blob, "\x89LZO", 5) == 0 )
|
|
+ else if ( check_magic(dom, "\x89LZO", 5) )
|
|
{
|
|
ret = xc_try_lzo1x_decode(dom, &dom->kernel_blob, &dom->kernel_size);
|
|
if ( ret < 0 )
|