Re: [PATCH] XEN: xenbus: integer overflow in process_msg()

From: Ian Campbell
Date: Wed Jan 04 2012 - 04:25:01 EST


On Tue, 2012-01-03 at 19:42 +0000, Haogang Chen wrote:
> There is a potential integer overflow in process_msg() that could result
> in cross-domain attack.
>
> body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
>
> When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
> call to xb_read() would write to a zero-length buffer.

The other end of this connection is always the xenstore backend daemon
so there is no guest (malicious or otherwise) which can do this. The
xenstore daemon is a trusted component in the system.

However this seem like a reasonable robustness improvement so we should
have it.

> This causes
> kernel oops in the receiving guest and hangs its xenbus kernel thread.
> The patch returns -EINVAL in that case.
>
> Signed-off-by: Haogang Chen <haogangchen@xxxxxxxxx>

Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>

> ---
> drivers/xen/xenbus/xenbus_xs.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
> index ede860f..e32aefb 100644
> --- a/drivers/xen/xenbus/xenbus_xs.c
> +++ b/drivers/xen/xenbus/xenbus_xs.c
> @@ -801,6 +801,12 @@ static int process_msg(void)
> goto out;
> }
>
> + if (msg->hdr.len == UINT_MAX) {
> + kfree(msg);
> + err = -EINVAL;
> + goto out;
> + }
> +
> body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
> if (body == NULL) {
> kfree(msg);


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/