|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] xen/build-id: Fix xen_build_id_check() to be robust against malformed notes
A NT_GNU_BUILD_ID with namesz longer than 4 will cause the strncmp() to use
bytes in adjacent stringtable entries.
Instead, check for namesz exactly equal to 4, and use memcmp() with an
explicit size.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Julien Grall <julien.grall@xxxxxxx>
Noticed while auditing Xen's use of strncmp() for the command line patch.
---
xen/common/version.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/xen/common/version.c b/xen/common/version.c
index 223cb52..1df7e78 100644
--- a/xen/common/version.c
+++ b/xen/common/version.c
@@ -97,17 +97,17 @@ int xen_build_id_check(const Elf_Note *n, unsigned int n_sz,
if ( NT_GNU_BUILD_ID != n->type )
return -ENODATA;
- if ( n->namesz + n->descsz < n->namesz )
+ if ( n->namesz != 4 /* GNU\0 */)
return -EINVAL;
- if ( n->namesz < 4 /* GNU\0 */)
+ if ( n->namesz + n->descsz < n->namesz )
return -EINVAL;
if ( n->namesz + n->descsz > n_sz - sizeof(*n) )
return -EINVAL;
/* Sanity check, name should be "GNU" for ld-generated build-id. */
- if ( strncmp(ELFNOTE_NAME(n), "GNU", n->namesz) != 0 )
+ if ( memcmp(ELFNOTE_NAME(n), "GNU", 4) != 0 )
return -ENODATA;
if ( len )
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |