Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
View | Details | Raw Unified | Return to bug 386371 | Differences between
and this patch

Collapse All | Expand All

(-)tools/libxc/xc_dom_bzimageloader.c (-17 / +44 lines)
Lines 308-326 Link Here
308
308
309
extern struct xc_dom_loader elf_loader;
309
extern struct xc_dom_loader elf_loader;
310
310
311
static unsigned int payload_offset(struct setup_header *hdr)
311
static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
312
{
312
{
313
    unsigned int off;
313
    if (len > dom->kernel_size)
314
       return 0;
315
    
316
        return (memcmp(dom->kernel_blob, magic, len) == 0);
317
 }
314
318
315
    off = (hdr->setup_sects + 1) * 512;
319
static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
316
    off += hdr->payload_offset;
317
    return off;
318
}
319
320
static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
321
{
320
{
322
    struct setup_header *hdr;
321
    struct setup_header *hdr;
323
    int ret;
322
    uint64_t payload_offset, payload_length;
323
    /* int ret; */
324
324
325
    if ( dom->kernel_blob == NULL )
325
    if ( dom->kernel_blob == NULL )
326
    {
326
    {
Lines 352-371 Link Here
352
        return -EINVAL;
352
        return -EINVAL;
353
    }
353
    }
354
354
355
    dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
355
     /* upcast to 64 bits to avoid overflow */
356
    dom->kernel_size = hdr->payload_length;
356
    /* setup_sects is u8 and so cannot overflow */
357
    payload_offset = (hdr->setup_sects + 1) * 512;
358
    payload_offset += hdr->payload_offset;
359
    payload_length = hdr->payload_length;
357
360
358
    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
361
/*    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
359
    {
362
    { 
360
        ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
363
        ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
361
        if ( ret == -1 )
364
        if ( ret == -1 )  */
365
     if ( payload_offset >= dom->kernel_size )
366
     {
367
         xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
368
                     __FUNCTION__);
369
        return -EINVAL;
370
    }
371
    if ( (payload_offset + payload_length) > dom->kernel_size )
372
    {
373
       xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
374
                     __FUNCTION__);
375
    }
376
377
    dom->kernel_blob = dom->kernel_blob + payload_offset;
378
    dom->kernel_size = payload_length;
379
    
380
    if ( check_magic(dom, "\037\213", 2) )
381
    {
382
        if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
362
        {
383
        {
363
            xc_dom_panic(XC_INVALID_KERNEL,
384
            if ( verbose )
364
                         "%s: unable to gzip decompress kernel\n",
385
                xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n",
365
                         __FUNCTION__);
386
                             __FUNCTION__);
366
            return -EINVAL;
387
            return -EINVAL;
367
        }
388
        }
368
    }
389
    }
390
    else
391
    {
392
        xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
393
                     __FUNCTION__);
394
           return -EINVAL;
395
     }
369
    else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
396
    else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
370
    {
397
    {
371
        ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);
398
        ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);

Return to bug 386371