Attachment #289345 for bug #386371





extern struct xc_dom_loader elf_loader;

static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
{
    if (len > dom->kernel_size)
       return 0;
    
        return (memcmp(dom->kernel_blob, magic, len) == 0);
 }

static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
    off += hdr->payload_offset;
    return off;
}

static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
{
    struct setup_header *hdr;
    uint64_t payload_offset, payload_length;
    /* int ret; */

    if ( dom->kernel_blob == NULL )
    {

        return -EINVAL;
    }

     /* upcast to 64 bits to avoid overflow */
    /* setup_sects is u8 and so cannot overflow */
    payload_offset = (hdr->setup_sects + 1) * 512;
    payload_offset += hdr->payload_offset;
    payload_length = hdr->payload_length;

/*    if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
    { 
        ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
        if ( ret == -1 )  */
     if ( payload_offset >= dom->kernel_size )
     {
         xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
                     __FUNCTION__);
        return -EINVAL;
    }
    if ( (payload_offset + payload_length) > dom->kernel_size )
    {
       xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
                     __FUNCTION__);
    }

    dom->kernel_blob = dom->kernel_blob + payload_offset;
    dom->kernel_size = payload_length;
    
    if ( check_magic(dom, "\037\213", 2) )
    {
        if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
        {
            if ( verbose )
                xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n",
                             __FUNCTION__);
            return -EINVAL;
        }
    }
    else
    {
        xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
                     __FUNCTION__);
           return -EINVAL;
     }
    else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
    {
        ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);

Return to bug 386371

Lines 308-326 Link Here

(-)tools/libxc/xc_dom_bzimageloader.c (-17 / +44 lines)
308		308
309	extern struct xc_dom_loader elf_loader;	309	extern struct xc_dom_loader elf_loader;
310		310
311	static unsigned int payload_offset(struct setup_header *hdr)	311	static int check_magic(struct xc_dom_image dom, const void magic, size_t len)
312	{	312	{
313	unsigned int off;	313	if (len > dom->kernel_size)
		314	return 0;
		315
		316	return (memcmp(dom->kernel_blob, magic, len) == 0);
		317	}
314		318
315	off = (hdr->setup_sects + 1) * 512;	319	static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
316	off += hdr->payload_offset;
317	return off;
318	}
319
320	static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom)
321	{	320	{
322	struct setup_header *hdr;	321	struct setup_header *hdr;
323	int ret;	322	uint64_t payload_offset, payload_length;
		323	/* int ret; */
324		324
325	if ( dom->kernel_blob == NULL )	325	if ( dom->kernel_blob == NULL )
326	{	326	{
Lines 352-371 Link Here
352	return -EINVAL;	352	return -EINVAL;
353	}	353	}
354		354
355	dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);	355	/* upcast to 64 bits to avoid overflow */
356	dom->kernel_size = hdr->payload_length;	356	/* setup_sects is u8 and so cannot overflow */
		357	payload_offset = (hdr->setup_sects + 1) * 512;
		358	payload_offset += hdr->payload_offset;
		359	payload_length = hdr->payload_length;
357		360
358	if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )	361	/* if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 )
359	{	362	{
360	ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);	363	ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size);
361	if ( ret == -1 )	364	if ( ret == -1 ) */
		365	if ( payload_offset >= dom->kernel_size )
		366	{
		367	xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
		368	__FUNCTION__);
		369	return -EINVAL;
		370	}
		371	if ( (payload_offset + payload_length) > dom->kernel_size )
		372	{
		373	xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
		374	__FUNCTION__);
		375	}
		376
		377	dom->kernel_blob = dom->kernel_blob + payload_offset;
		378	dom->kernel_size = payload_length;
		379
		380	if ( check_magic(dom, "\037\213", 2) )
		381	{
		382	if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
362	{	383	{
363	xc_dom_panic(XC_INVALID_KERNEL,	384	if ( verbose )
364	"%s: unable to gzip decompress kernel\n",	385	xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n",
365	__FUNCTION__);	386	__FUNCTION__);
366	return -EINVAL;	387	return -EINVAL;
367	}	388	}
368	}	389	}
		390	else
		391	{
		392	xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
		393	__FUNCTION__);
		394	return -EINVAL;
		395	}
369	else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )	396	else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 )
370	{	397	{
371	ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);	398	ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);