Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch')
-rw-r--r--app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch87
1 files changed, 87 insertions, 0 deletions
diff --git a/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch
new file mode 100644
index 0000000..f5cec4d
--- /dev/null
+++ b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch
@@ -0,0 +1,87 @@
+--- tools/libxc/xc_dom_bzimageloader.c 2009-11-10 23:12:56.000000000 +0800
++++ tools/libxc/xc_dom_bzimageloader.c 2011-10-09 20:10:08.972815311 +0800
+@@ -308,19 +308,19 @@
+
+ extern struct xc_dom_loader elf_loader;
+
+-static unsigned int payload_offset(struct setup_header *hdr)
++static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
+ {
+- unsigned int off;
++ if (len > dom->kernel_size)
++ return 0;
++
++ return (memcmp(dom->kernel_blob, magic, len) == 0);
++ }
+
+- off = (hdr->setup_sects + 1) * 512;
+- off += hdr->payload_offset;
+- return off;
+-}
+-
+-static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
++static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
+ {
+ struct setup_header *hdr;
+- int ret;
++ uint64_t payload_offset, payload_length;
++ /* int ret; */
+
+ if ( dom->kernel_blob == NULL )
+ {
+@@ -352,20 +352,47 @@
+ return -EINVAL;
+ }
+
+- dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
+- dom->kernel_size = hdr->payload_length;
++ /* upcast to 64 bits to avoid overflow */
++ /* setup_sects is u8 and so cannot overflow */
++ payload_offset = (hdr->setup_sects + 1) * 512;
++ payload_offset += hdr->payload_offset;
++ payload_length = hdr->payload_length;
+
+- if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
+- {
++/* if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
++ {
+ ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
+- if ( ret == -1 )
++ if ( ret == -1 ) */
++ if ( payload_offset >= dom->kernel_size )
++ {
++ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
++ __FUNCTION__);
++ return -EINVAL;
++ }
++ if ( (payload_offset + payload_length) > dom->kernel_size )
++ {
++ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
++ __FUNCTION__);
++ }
++
++ dom->kernel_blob = dom->kernel_blob + payload_offset;
++ dom->kernel_size = payload_length;
++
++ if ( check_magic(dom, "\037\213", 2) )
++ {
++ if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
+ {
+- xc_dom_panic(XC_INVALID_KERNEL,
+- "%s: unable to gzip decompress kernel\n",
+- __FUNCTION__);
++ if ( verbose )
++ xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n",
++ __FUNCTION__);
+ return -EINVAL;
+ }
+ }
++ else
++ {
++ xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
++ __FUNCTION__);
++ return -EINVAL;
++ }
+ else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
+ {
+ ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);