6. 検査対象② CVE-2013-4371
Use-after-free Xen Hypervisor
402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
388libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool)
389{
390 libxl_cpupoolinfo *ptr, *tmp;
397 poolid = 0;
398 for (i = 0;; i++) {
399 info = xc_cpupool_getinfo(ctx->xch, poolid);
400 if (info == NULL)
401 break;
402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
403 if (!tmp) {
404 LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
405 free(ptr);
406 xc_cpupool_infofree(ctx->xch, info);
407 return NULL;
408 }
409 ptr = tmp;
410 ptr[i].poolid = info->cpupool_id;
411 ptr[i].sched_id = info->sched_id;
412 ptr[i].n_dom = info->n_dom;
413 if (libxl_cpumap_alloc(ctx, &ptr[i].cpumap)) {
414 xc_cpupool_infofree(ctx->xch, info);
415 break;
416 }
417 memcpy(ptr[i].cpumap.map, info->cpumap, ptr[i].cpumap.size);
418 poolid = info->cpupool_id + 1;
419 xc_cpupool_infofree(ctx->xch, info);
420 }
realloc use-after-free vulnerability
Use-after-free vulnerability in the
libxl¥_list_cpupool function in the libxl
toolstack library in Xen 4.2.x and 4.3.x,
when running "under memory pressure,"
returns the original pointer when the
realloc function fails, which allows local
users to cause a denial of service (heap
corruption and crash) and possibly
execute arbitrary code via unspecified
vectors.
At line 402, Xen uses realloc for reallocating
the memory. Note that the address of
libxl¥_cpupoolinfo is already assigned outside
of this routine. Under high pressure, realloc
can not extend the memory from the original
pointer which is already obtained. in this case,
realloc newly yielding the address which
remaining the data to be written.
Boundary(終了条件)が
緩いループ (pressureを
かけやすい)
Reallocの返り値がポインタ
7. Attack surfaceの削減: 削除可能パスの検出 # global -t cmdtable_lookup
cmdtable_lookup tools/libxl/xl_cmdtable.c 390
20struct cmd_spec cmd_table[] = {
34 { "list",
35 &main_list,
36 "List information about all/some domains",
37 "[options] [Domain]¥n",
38 "-l, --long Output all VM details¥n"
39 "-v, --verbose Prints out UUIDs",
40 },
134 { "migrate-receive",
135 &main_migrate_receive,
136 "Restore a domain from a saved state",
137 "- for internal use only",
138},
341 { "cpupool-create",
342 &main_cpupoolcreate,
343 "Create a CPU pool based an ConfigFile",
344 "[options] <ConfigFile> [vars]",
345 "-h, --help Print this help.¥n"
346 "-f=FILE, --defconfig=FILE Use the given
configuration file.¥n"
347 "-n, --dryrun Dry run - prints the
resulting configuration."
348 },
削除可能パス