[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 7/8] libelf: loop safety cleanup: Remove superseded image size copy check
Now, elf_load_image eventually calls elf_memcpy_safe, which calls elf_iter_ok_counted. So there is a work limit of 4x the image size. This is larger than the previous limit of 2x the image size, but it includes a lot of other processing too. And the purpose is to reject bad images without a significant risk of rejecting sane ones. A 4x limit is tight enough. So this ad-hoc remain_allow_copy check has been entirely superseded and can be removed. Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> --- xen/common/libelf/libelf-loader.c | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c index d5e51d3..5e4671b 100644 --- a/xen/common/libelf/libelf-loader.c +++ b/xen/common/libelf/libelf-loader.c @@ -482,12 +482,6 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf) uint64_t paddr, offset, filesz, memsz; unsigned i, count; elf_ptrval dest; - /* - * Let bizarre ELFs write the output image up to twice; this - * calculation is just to ensure our copying loop is no worse than - * O(domain_size). - */ - uint64_t remain_allow_copy = (uint64_t)elf->dest_size * 2; count = elf_phdr_count(elf); for ( i = 0; elf_iter_ok(elf) && i < count; i++ ) @@ -504,19 +498,6 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf) memsz = elf_uval(elf, phdr, p_memsz); dest = elf_get_ptr(elf, paddr); - /* - * We need to check that the input image doesn't have us copy - * the whole image zillions of times, as that could lead to - * O(n^2) time behaviour and possible DoS by a malicous ELF. - */ - if ( remain_allow_copy < memsz ) - { - elf_mark_broken(elf, "program segments total to more" - " than the input image size"); - break; - } - remain_allow_copy -= memsz; - elf_msg(elf, "ELF: phdr %u at %#"ELF_PRPTRVAL" -> %#"ELF_PRPTRVAL"\n", i, dest, (elf_ptrval)(dest + filesz)); -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |