Lines 308-326
Link Here
|
308 |
|
308 |
|
309 |
extern struct xc_dom_loader elf_loader; |
309 |
extern struct xc_dom_loader elf_loader; |
310 |
|
310 |
|
311 |
static unsigned int payload_offset(struct setup_header *hdr) |
311 |
static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len) |
312 |
{ |
312 |
{ |
313 |
unsigned int off; |
313 |
if (len > dom->kernel_size) |
|
|
314 |
return 0; |
315 |
|
316 |
return (memcmp(dom->kernel_blob, magic, len) == 0); |
317 |
} |
314 |
|
318 |
|
315 |
off = (hdr->setup_sects + 1) * 512; |
319 |
static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose) |
316 |
off += hdr->payload_offset; |
|
|
317 |
return off; |
318 |
} |
319 |
|
320 |
static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom) |
321 |
{ |
320 |
{ |
322 |
struct setup_header *hdr; |
321 |
struct setup_header *hdr; |
323 |
int ret; |
322 |
uint64_t payload_offset, payload_length; |
|
|
323 |
/* int ret; */ |
324 |
|
324 |
|
325 |
if ( dom->kernel_blob == NULL ) |
325 |
if ( dom->kernel_blob == NULL ) |
326 |
{ |
326 |
{ |
Lines 352-371
Link Here
|
352 |
return -EINVAL; |
352 |
return -EINVAL; |
353 |
} |
353 |
} |
354 |
|
354 |
|
355 |
dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); |
355 |
/* upcast to 64 bits to avoid overflow */ |
356 |
dom->kernel_size = hdr->payload_length; |
356 |
/* setup_sects is u8 and so cannot overflow */ |
|
|
357 |
payload_offset = (hdr->setup_sects + 1) * 512; |
358 |
payload_offset += hdr->payload_offset; |
359 |
payload_length = hdr->payload_length; |
357 |
|
360 |
|
358 |
if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) |
361 |
/* if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) |
359 |
{ |
362 |
{ |
360 |
ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); |
363 |
ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); |
361 |
if ( ret == -1 ) |
364 |
if ( ret == -1 ) */ |
|
|
365 |
if ( payload_offset >= dom->kernel_size ) |
366 |
{ |
367 |
xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow", |
368 |
__FUNCTION__); |
369 |
return -EINVAL; |
370 |
} |
371 |
if ( (payload_offset + payload_length) > dom->kernel_size ) |
372 |
{ |
373 |
xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow", |
374 |
__FUNCTION__); |
375 |
} |
376 |
|
377 |
dom->kernel_blob = dom->kernel_blob + payload_offset; |
378 |
dom->kernel_size = payload_length; |
379 |
|
380 |
if ( check_magic(dom, "\037\213", 2) ) |
381 |
{ |
382 |
if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 ) |
362 |
{ |
383 |
{ |
363 |
xc_dom_panic(XC_INVALID_KERNEL, |
384 |
if ( verbose ) |
364 |
"%s: unable to gzip decompress kernel\n", |
385 |
xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n", |
365 |
__FUNCTION__); |
386 |
__FUNCTION__); |
366 |
return -EINVAL; |
387 |
return -EINVAL; |
367 |
} |
388 |
} |
368 |
} |
389 |
} |
|
|
390 |
else |
391 |
{ |
392 |
xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n", |
393 |
__FUNCTION__); |
394 |
return -EINVAL; |
395 |
} |
369 |
else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) |
396 |
else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) |
370 |
{ |
397 |
{ |
371 |
ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); |
398 |
ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size); |