Patch "zstd: Fix array-index-out-of-bounds UBSAN warning" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    zstd: Fix array-index-out-of-bounds UBSAN warning

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     zstd-fix-array-index-out-of-bounds-ubsan-warning.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 740958dc0a823f905b9790fa9e57de24633c6436
Author: Nick Terrell <terrelln@xxxxxx>
Date:   Thu Oct 12 12:55:34 2023 -0700

    zstd: Fix array-index-out-of-bounds UBSAN warning
    
    [ Upstream commit 77618db346455129424fadbbaec596a09feaf3bb ]
    
    Zstd used an array of length 1 to mean a flexible array for C89
    compatibility. Switch to a C99 flexible array to fix the UBSAN warning.
    
    Tested locally by booting the kernel and writing to and reading from a
    BtrFS filesystem with zstd compression enabled. I was unable to reproduce
    the issue before the fix, however it is a trivial change.
    
    Link: https://lkml.kernel.org/r/20231012213428.1390905-1-nickrterrell@xxxxxxxxx
    Reported-by: syzbot+1f2eb3e8cd123ffce499@xxxxxxxxxxxxxxxxxxxxxxxxx
    Reported-by: Eric Biggers <ebiggers@xxxxxxxxxx>
    Reported-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Signed-off-by: Nick Terrell <terrelln@xxxxxx>
    Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/lib/zstd/common/fse_decompress.c b/lib/zstd/common/fse_decompress.c
index a0d06095be83d..8dcb8ca39767c 100644
--- a/lib/zstd/common/fse_decompress.c
+++ b/lib/zstd/common/fse_decompress.c
@@ -312,7 +312,7 @@ size_t FSE_decompress_wksp(void* dst, size_t dstCapacity, const void* cSrc, size
 
 typedef struct {
     short ncount[FSE_MAX_SYMBOL_VALUE + 1];
-    FSE_DTable dtable[1]; /* Dynamically sized */
+    FSE_DTable dtable[]; /* Dynamically sized */
 } FSE_DecompressWksp;
 
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux