[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
Ian Campbell writes ("Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader"): > A suitably large stored_size or preboot_size will potentially overflow > the addition and the result could be arranged to be == kernel_size. > > Since stored_size and preboot_size are 32- and 16-bit it is (I think) > sufficient to cast to a 64bit type for the addition. Perhaps one way > which is nice and clear in terms of reviewing for security would be ... > BTW, you might want to check > dom->kernel_size to allow for smaller > images? ... > You haven't validated startup_size yet, so you can't trust it to not > overrun the buffer. And you need to be careful with that subtraction, > probably starting with validating that one is larger than the other. These would all have been security bugs if the v3 patch had been accepted. They would have been bugs that would potentially amount to privilege escalation for very many Xen installations. I think we should be considering whether to take an approach similar to that taken in libelf after XSA-55. The code can probably be reused. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |