[prev in list] [next in list] [prev in thread] [next in thread]
List: xen-cvs
Subject: [Xen-changelog] [xen master] hvm/load: correct length checks for zeroextended records
From: patchbot () xen ! org
Date: 2014-10-30 9:16:46
Message-ID: E1XjlqY-0000it-EH () xenbits ! xen ! org
[Download RAW message or body]
commit 66d0c0aa1f3e57e873fd64d1d370e11758d25442
Author: Andrew Cooper <andrew.cooper3@citrix.com>
AuthorDate: Mon Oct 27 16:41:50 2014 +0100
Commit: Jan Beulich <jbeulich@suse.com>
CommitDate: Mon Oct 27 16:41:50 2014 +0100
hvm/load: correct length checks for zeroextended records
In the case that Xen is attempting to load a zeroextended HVM record where the
difference needing extending would overflow the data blob, _hvm_check_entry()
will incorrectly fail before working out that it would have been safe.
The "len + sizeof(*d)" check is wrong. Consider zeroextending a 16 byte
record into a 32 byte structure. "32 + hdr" will fail the overall context
length check even though the pre-extended record in the stream is 16 bytes.
The first condition is reduced to just a length check for hvm save header,
while the second condition is extended to include a check that the record in
the stream not exceeding the stream length.
The error messages are extended to include further useful information.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Paul Durrant <Paul.Durrant@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/common/hvm/save.c | 19 +++++++++++--------
1 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/xen/common/hvm/save.c b/xen/common/hvm/save.c
index 6c16399..da6e668 100644
--- a/xen/common/hvm/save.c
+++ b/xen/common/hvm/save.c
@@ -292,19 +292,22 @@ int _hvm_check_entry(struct hvm_domain_context *h,
{
struct hvm_save_descriptor *d
= (struct hvm_save_descriptor *)&h->data[h->cur];
- if ( len + sizeof (*d) > h->size - h->cur)
+ if ( sizeof(*d) > h->size - h->cur)
{
printk(XENLOG_G_WARNING
- "HVM restore: not enough data left to read %u bytes "
- "for type %u\n", len, type);
+ "HVM restore: not enough data left to read %zu bytes "
+ "for type %u header\n", sizeof(*d), type);
return -1;
- }
- if ( (type != d->typecode) || (len < d->length) ||
- (strict_length && (len != d->length)) )
+ }
+ if ( (type != d->typecode) ||
+ (strict_length ? (len != d->length) : (len < d->length)) ||
+ (d->length > (h->size - h->cur - sizeof(*d))) )
{
printk(XENLOG_G_WARNING
- "HVM restore mismatch: expected type %u length %u, "
- "saw type %u length %u\n", type, len, d->typecode, d->length);
+ "HVM restore mismatch: expected %s type %u length %u, "
+ "saw type %u length %u. %zu bytes remaining\n",
+ strict_length ? "strict" : "zeroextended", type, len,
+ d->typecode, d->length, h->size - h->cur - sizeof(*d));
return -1;
}
h->cur += sizeof(*d);
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@lists.xen.org
http://lists.xensource.com/xen-changelog
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic