[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 7/8] libelf: loop safety cleanup: Remove superseded image size copy check

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
From: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date: Fri, 9 Dec 2016 15:44:48 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Delivery-date: Fri, 09 Dec 2016 15:45:25 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Now, elf_load_image eventually calls elf_memcpy_safe, which calls
elf_iter_ok_counted.

So there is a work limit of 4x the image size.  This is larger than
the previous limit of 2x the image size, but it includes a lot of
other processing too.  And the purpose is to reject bad images without
a significant risk of rejecting sane ones.  A 4x limit is tight
enough.

So this ad-hoc remain_allow_copy check has been entirely superseded
and can be removed.

Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
---
 xen/common/libelf/libelf-loader.c | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/xen/common/libelf/libelf-loader.c 
b/xen/common/libelf/libelf-loader.c
index d5e51d3..5e4671b 100644
--- a/xen/common/libelf/libelf-loader.c
+++ b/xen/common/libelf/libelf-loader.c
@@ -482,12 +482,6 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf)
     uint64_t paddr, offset, filesz, memsz;
     unsigned i, count;
     elf_ptrval dest;
-    /*
-     * Let bizarre ELFs write the output image up to twice; this
-     * calculation is just to ensure our copying loop is no worse than
-     * O(domain_size).
-     */
-    uint64_t remain_allow_copy = (uint64_t)elf->dest_size * 2;
 
     count = elf_phdr_count(elf);
     for ( i = 0; elf_iter_ok(elf) && i < count; i++ )
@@ -504,19 +498,6 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf)
         memsz = elf_uval(elf, phdr, p_memsz);
         dest = elf_get_ptr(elf, paddr);
 
-        /*
-         * We need to check that the input image doesn't have us copy
-         * the whole image zillions of times, as that could lead to
-         * O(n^2) time behaviour and possible DoS by a malicous ELF.
-         */
-        if ( remain_allow_copy < memsz )
-        {
-            elf_mark_broken(elf, "program segments total to more"
-                            " than the input image size");
-            break;
-        }
-        remain_allow_copy -= memsz;
-
         elf_msg(elf,
                 "ELF: phdr %u at %#"ELF_PRPTRVAL" -> %#"ELF_PRPTRVAL"\n",
                 i, dest, (elf_ptrval)(dest + filesz));
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 7/8] libelf: loop safety cleanup: Remove superseded image size copy check
  - From: Jan Beulich

References:
- Re: [Xen-devel] [PATCH] libelf: Fix div0 issues in elf_{shdr, phdr}_count()
  - From: Ian Jackson
- [Xen-devel] [PATCH 0/8] libelf: safety enhancements
  - From: Ian Jackson

Prev by Date: [Xen-devel] [PATCH 5/8] libelf: loop safety: Replace all calls to strcmp
Next by Date: [Xen-devel] [PATCH] xen/setup: Don't relocate p2m/initrd over existing one
Previous by thread: Re: [Xen-devel] [PATCH 5/8] libelf: loop safety: Replace all calls to strcmp
Next by thread: Re: [Xen-devel] [PATCH 7/8] libelf: loop safety cleanup: Remove superseded image size copy check
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.