Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Tue, 2014-09-23 at 17:19 +0100, Ian Jackson wrote:
> Ian Campbell writes ("Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS 
> loader"):
> > A suitably large stored_size or preboot_size will potentially overflow
> > the addition and the result could be arranged to be == kernel_size.
> > 
> > Since stored_size and preboot_size are 32- and 16-bit it is (I think)
> > sufficient to cast to a 64bit type for the addition. Perhaps one way
> > which is nice and clear in terms of reviewing for security would be 
> ...               
> > BTW, you might want to check > dom->kernel_size to allow for smaller
> > images?
> ...
> > You haven't validated startup_size yet, so you can't trust it to not
> > overrun the buffer. And you need to be careful with that subtraction,
> > probably starting with validating that one is larger than the other.
> 
> These would all have been security bugs if the v3 patch had been
> accepted.  They would have been bugs that would potentially amount to
> privilege escalation for very many Xen installations.

Well, those booting untrusted QNX guests on ARM, which won't be many
yet, but point taken...

> I think we should be considering whether to take an approach similar
> to that taken in libelf after XSA-55.  The code can probably be
> reused.

I think something like that would be good, but would be a much bigger
yakk than we can reasonably ask to be shaved here, since it would need
to transition the core xc_dom builder code and all of the loaders for
both ARM and x86.

And its certainly not 4.5 material at this point.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel