diff options
Diffstat (limited to 'app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch')
-rw-r--r-- | app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch new file mode 100644 index 0000000..f5cec4d --- /dev/null +++ b/app-emulation/xen/files/xen-3.4.2-CVE-2011-1583.patch @@ -0,0 +1,87 @@ +--- tools/libxc/xc_dom_bzimageloader.c 2009-11-10 23:12:56.000000000 +0800 ++++ tools/libxc/xc_dom_bzimageloader.c 2011-10-09 20:10:08.972815311 +0800 +@@ -308,19 +308,19 @@ + + extern struct xc_dom_loader elf_loader; + +-static unsigned int payload_offset(struct setup_header *hdr) ++static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len) + { +- unsigned int off; ++ if (len > dom->kernel_size) ++ return 0; ++ ++ return (memcmp(dom->kernel_blob, magic, len) == 0); ++ } + +- off = (hdr->setup_sects + 1) * 512; +- off += hdr->payload_offset; +- return off; +-} +- +-static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom) ++static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose) + { + struct setup_header *hdr; +- int ret; ++ uint64_t payload_offset, payload_length; ++ /* int ret; */ + + if ( dom->kernel_blob == NULL ) + { +@@ -352,20 +352,47 @@ + return -EINVAL; + } + +- dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); +- dom->kernel_size = hdr->payload_length; ++ /* upcast to 64 bits to avoid overflow */ ++ /* setup_sects is u8 and so cannot overflow */ ++ payload_offset = (hdr->setup_sects + 1) * 512; ++ payload_offset += hdr->payload_offset; ++ payload_length = hdr->payload_length; + +- if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) +- { ++/* if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) ++ { + ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); +- if ( ret == -1 ) ++ if ( ret == -1 ) */ ++ if ( payload_offset >= dom->kernel_size ) ++ { ++ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow", ++ __FUNCTION__); ++ return -EINVAL; ++ } ++ if ( (payload_offset + payload_length) > dom->kernel_size ) ++ { ++ xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow", ++ __FUNCTION__); ++ } ++ ++ dom->kernel_blob = dom->kernel_blob + payload_offset; ++ dom->kernel_size = payload_length; ++ ++ if ( check_magic(dom, "\037\213", 2) ) ++ { ++ if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 ) + { +- xc_dom_panic(XC_INVALID_KERNEL, +- "%s: unable to gzip decompress kernel\n", +- __FUNCTION__); ++ if ( verbose ) ++ xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n", ++ __FUNCTION__); + return -EINVAL; + } + } ++ else ++ { ++ xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n", ++ __FUNCTION__); ++ return -EINVAL; ++ } + else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) + { + ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); |