WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] Re: [PATCH 1 of 3 V3] tools/libxc: Remus Checkpoint Compress

from [Ian Jackson] [Permanent Link][Original]
To: "rshriram@xxxxxxxxx" <rshriram@xxxxxxxxx>
Subject: [Xen-devel] Re: [PATCH 1 of 3 V3] tools/libxc: Remus Checkpoint Compression
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 18 Oct 2011 19:08:51 +0100
Cc: "brendan@xxxxxxxxx" <brendan@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 18 Oct 2011 11:10:42 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <47fdd52af616131142ac.1318549672@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <patchbomb.1318549671@xxxxxxxxxxxxxxxxxxx> <47fdd52af616131142ac.1318549672@xxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
rshriram@xxxxxxxxx writes ("[PATCH 1 of 3 V3] tools/libxc: Remus Checkpoint 
Compression"):
> +            flag = *src & FLAGMASK;
> +            len = *src & LENMASK;
> +            pos++;
> +            src++;
> +
> +            if (flag == RUNFLAG)
> +            {
> +                if ((pos + len * sizeof(uint32_t)) > compbuf_size)
> +                {
> +                    ERROR("Out of bounds exception in compression buffer 
> (d):"
> +                          "read ptr %lu, runlen = %u, bufsize = %lu\n",
> +                          pos, len * sizeof(uint32_t), compbuf_size);
> +                    return -1;
> +                }
> +
> +                memcpy(&destpage[pagepos], src, len * sizeof(uint32_t));

I think this may have a buffer overrun vulnerability.  It seems to me
that it can write beyond destpage + XC_PAGE_SIZE.  Decompressors are
often a source of security vulnerabilities of this kind, so it's
important that we look at it closely.

> +int xc_compression_uncompress_page(xc_interface *xch, char *compbuf,
> +                                   unsigned long compbuf_size,
> +                                   unsigned long *compbuf_pos, char *dest)
> +{
> +    return uncompress_page(xch, dest, compbuf_pos,
> +                           (uint8_t *)compbuf, compbuf_size);
> +}

What is the purpose of this wrapper function ?  All it seems to do is
massage the type and order of arguments.

Thanks,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-devel] Strange (???) xl behavior for save, migrate and migrate-receive, Dan Magenheimer
Next by Date:  [Xen-devel] Compilation problems: oldstyle/xenlinux 2.6.38, blktap2, Alex Bligh
Previous by Thread:  Re: [Xen-devel] [PATCH 1 of 3 V3] tools/libxc: Remus Checkpoint Compression, Brendan Cully
Next by Thread:  Re: [Xen-devel] [PATCH 1 of 3 V3] tools/libxc: Remus Checkpoint Compression, George Dunlap
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy