search

superymk / xmhf64

Other
0 stars 1 forks source link

Potential vulnerabilities due to PR 18 #23

Closed lxylxy123456 closed 4 months ago

lxylxy123456 commented 4 months ago

I recently reviewed PR 18 and found the following potential vulnerabilities.

  1. SL does not check slpb.runtime_bss_high_base == rpb->XtVmmRuntimeBSSHighBegin. It also does not check slpb.runtime_bss_high_size == XMHF_RUNTIME_LARGE_BSS_DATA_SIZE
  2. SL does not check that the runtime bss high memory is full of zero. It also does not memset this memory with zero.
  3. SL does not check that [rpb->XtVmmRuntimeBSSHighBegin, rpb->XtVmmRuntimeBSSHighBegin + XMHF_RUNTIME_LARGE_BSS_DATA_SIZE) and [rpb->XtVmmRuntimePhysBase, rpb->XtVmmRuntimePhysBase + rpb->XtVmmRuntimeSize) do not overlap. (i.e. attacker can make run time high bss and other part of runtime overlap).

Please consider fixing them, thank you!

superymk commented 4 months ago

Thanks for reporting the issues! They are fixed in 653da2d and 40a39f0