[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.3] hvm/load: correct length checks for zeroextended records

commit ca351d09876bd377f940387cd50fba65a92a1c8d
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Nov 13 09:54:31 2014 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Nov 13 09:54:31 2014 +0100

    hvm/load: correct length checks for zeroextended records
    
    In the case that Xen is attempting to load a zeroextended HVM record where 
the
    difference needing extending would overflow the data blob, 
_hvm_check_entry()
    will incorrectly fail before working out that it would have been safe.
    
    The "len + sizeof(*d)" check is wrong.  Consider zeroextending a 16 byte
    record into a 32 byte structure.  "32 + hdr" will fail the overall context
    length check even though the pre-extended record in the stream is 16 bytes.
    
    The first condition is reduced to just a length check for hvm save header,
    while the second condition is extended to include a check that the record in
    the stream not exceeding the stream length.
    
    The error messages are extended to include further useful information.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Paul Durrant <Paul.Durrant@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 66d0c0aa1f3e57e873fd64d1d370e11758d25442
    master date: 2014-10-27 16:41:50 +0100
---
 xen/common/hvm/save.c |   19 +++++++++++--------
 1 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/xen/common/hvm/save.c b/xen/common/hvm/save.c
index 6c16399..da6e668 100644
--- a/xen/common/hvm/save.c
+++ b/xen/common/hvm/save.c
@@ -292,19 +292,22 @@ int _hvm_check_entry(struct hvm_domain_context *h,
 {
     struct hvm_save_descriptor *d 
         = (struct hvm_save_descriptor *)&h->data[h->cur];
-    if ( len + sizeof (*d) > h->size - h->cur)
+    if ( sizeof(*d) > h->size - h->cur)
     {
         printk(XENLOG_G_WARNING
-               "HVM restore: not enough data left to read %u bytes "
-               "for type %u\n", len, type);
+               "HVM restore: not enough data left to read %zu bytes "
+               "for type %u header\n", sizeof(*d), type);
         return -1;
-    }    
-    if ( (type != d->typecode) || (len < d->length) ||
-         (strict_length && (len != d->length)) )
+    }
+    if ( (type != d->typecode) ||
+         (strict_length ? (len != d->length) : (len < d->length)) ||
+         (d->length > (h->size - h->cur - sizeof(*d))) )
     {
         printk(XENLOG_G_WARNING
-               "HVM restore mismatch: expected type %u length %u, "
-               "saw type %u length %u\n", type, len, d->typecode, d->length);
+               "HVM restore mismatch: expected %s type %u length %u, "
+               "saw type %u length %u.  %zu bytes remaining\n",
+               strict_length ? "strict" : "zeroextended", type, len,
+               d->typecode, d->length, h->size - h->cur - sizeof(*d));
         return -1;
     }
     h->cur += sizeof(*d);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.3

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.