This is a note to let you know that I've just added the patch titled lz4: add overrun checks to lz4_uncompress_unknownoutputsize() to the 3.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: lz4-add-overrun-checks-to-lz4_uncompress_unknownoutputsize.patch and it can be found in the queue-3.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 4a3a99045177369700c60d074c0e525e8093b0fc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Date: Thu, 3 Jul 2014 16:06:57 -0700 Subject: lz4: add overrun checks to lz4_uncompress_unknownoutputsize() From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> commit 4a3a99045177369700c60d074c0e525e8093b0fc upstream. Jan points out that I forgot to make the needed fixes to the lz4_uncompress_unknownoutputsize() function to mirror the changes done in lz4_decompress() with regards to potential pointer overflows. The only in-kernel user of this function is the zram code, which only takes data from a valid compressed buffer that it made itself, so it's not a big issue. But due to external kernel modules using this function, it's better to be safe here. Reported-by: Jan Beulich <JBeulich@xxxxxxxx> Cc: "Don A. Bailey" <donb@xxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- lib/lz4/lz4_decompress.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/lib/lz4/lz4_decompress.c +++ b/lib/lz4/lz4_decompress.c @@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputs int s = 255; while ((ip < iend) && (s == 255)) { s = *ip++; + if (unlikely(length > (size_t)(length + s))) + goto _output_error; length += s; } } @@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputs if (length == ML_MASK) { while (ip < iend) { int s = *ip++; + if (unlikely(length > (size_t)(length + s))) + goto _output_error; length += s; if (s == 255) continue; @@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputs /* write overflow error detected */ _output_error: - return (int) (-(((char *) ip) - source)); + return -1; } int lz4_decompress(const unsigned char *src, size_t *src_len, Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are queue-3.15/ib-umad-fix-error-handling.patch queue-3.15/powerpc-fix-typo-config_ppc_cpu.patch queue-3.15/xfs-xfs_readsb-needs-to-check-for-magic-numbers.patch queue-3.15/pci-add-new-id-for-intel-gpu-spurious-interrupt-quirk.patch queue-3.15/hpsa-add-new-smart-array-pci-ids-may-2014.patch queue-3.15/mips-msc-prevent-out-of-bounds-writes-to-mips-sc-ioremap-d-region.patch queue-3.15/rdma-cxgb4-add-missing-padding-at-end-of-struct-c4iw_alloc_ucontext_resp.patch queue-3.15/powerpc-perf-ensure-all-ebb-register-state-is-cleared-on-fork.patch queue-3.15/mips-kvm-remove-redundant-null-checks-before-kfree.patch queue-3.15/mtip32xx-increase-timeout-for-standby-immediate-command.patch queue-3.15/nfsd4-fix-free_stateid-lockowner-leak.patch queue-3.15/nfs-fix-cache_validity-check-in-nfs_write_pageuptodate.patch queue-3.15/mtip32xx-remove-dfs_parent-after-pci-unregister.patch queue-3.15/ubifs-remove-incorrect-assertion-in-shrink_tnc.patch queue-3.15/powernv-fix-permissions-on-sysparam-sysfs-entries.patch queue-3.15/nfsd-getattr-for-fattr4_word0_files_avail-needs-the-statfs-buffer.patch queue-3.15/cpufreq-ppc-corenet-cpu-freq-do_div-use-quotient.patch queue-3.15/iscsi-target-avoid-rejecting-incorrect-itt-for-data-out.patch queue-3.15/input-synaptics-fix-resolution-for-manually-provided-min-max.patch queue-3.15/target-fix-left-over-se_lun-lun_sep-pointer-oops.patch queue-3.15/ib-umad-fix-use-after-free-on-close.patch queue-3.15/ib-ipath-translate-legacy-diagpkt-into-newer-extended-diagpkt.patch queue-3.15/ib-srp-fix-a-sporadic-crash-triggered-by-cable-pulling.patch queue-3.15/iscsi-target-explicily-clear-login-response-pdu-in-exception-path.patch queue-3.15/ubifs-fix-an-mmap-and-fsync-race-condition.patch queue-3.15/rdma-cxgb4-add-missing-padding-at-end-of-struct-c4iw_create_cq_resp.patch queue-3.15/revert-mips-save-restore-msa-context-around-signals.patch queue-3.15/pci-fix-incorrect-vgaarb-conditional-in-warn_on.patch queue-3.15/lz4-add-overrun-checks-to-lz4_uncompress_unknownoutputsize.patch queue-3.15/powerpc-don-t-skip-epapr-spin-table-cpus.patch queue-3.15/recordmcount-mips-fix-possible-incorrect-mcount_loc-table-entries-in-modules.patch queue-3.15/ib-mlx5-add-missing-padding-at-end-of-struct-mlx5_ib_create_srq.patch queue-3.15/input-elantech-don-t-set-bit-1-of-reg_10-when-the-no_hw_res-quirk-is-set.patch queue-3.15/powerpc-add-at_hwcap2-to-indicate-v.crypto-category-support.patch queue-3.15/powerpc-mm-check-paca-psize-is-up-to-date-for-huge-mappings.patch queue-3.15/cpufreq-unlock-when-failing-cpufreq_update_policy.patch queue-3.15/ib-qib-fix-port-in-pkey-change-event.patch queue-3.15/watchdog-kempld-wdt-use-the-correct-value-when-configuring-the-prescaler-with-the-watchdog.patch queue-3.15/kernel-watchdog.c-remove-preemption-restrictions-when-restarting-lockup-detector.patch queue-3.15/powerpc-pseries-fix-overwritten-pe-state.patch queue-3.15/ptrace-x86-force-iret-path-after-a-ptrace_stop.patch queue-3.15/nfs-populate-net-in-mount-data-when-remounting.patch queue-3.15/pnfs-handle-allocation-errors-correctly-in-filelayout_alloc_layout_hdr.patch queue-3.15/input-elantech-deal-with-clickpads-reporting-right-button-events.patch queue-3.15/powerpc-don-t-setup-cpus-with-bad-status.patch queue-3.15/nfs-use-raw_write_seqcount_begin-end-int-nfs4_reclaim_open_state.patch queue-3.15/watchdog-ath79_wdt-avoid-spurious-restarts-on-ar934x.patch queue-3.15/sunrpc-fix-a-module-reference-leak-in-svc_handle_xprt.patch queue-3.15/nfs-don-t-declare-inode-uptodate-unless-all-attributes-were-checked.patch queue-3.15/iscsi-target-fix-iscsit_del_np-deadlock-on-unload.patch queue-3.15/powerpc-64bit-sendfile-is-capped-at-2gb.patch queue-3.15/reiserfs-call-truncate_setsize-under-tailpack-mutex.patch queue-3.15/ib-mlx5-add-missing-padding-at-end-of-struct-mlx5_ib_create_cq.patch queue-3.15/mtip32xx-fix-ero-and-nosnoop-values-in-pcie-upstream-on-amd-systems.patch queue-3.15/mips-kvm-fix-memory-leak-on-vcpu.patch queue-3.15/powerpc-serial-use-saner-flags-when-creating-legacy-ports.patch queue-3.15/watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch queue-3.15/rdma-cxgb4-fix-memory-leaks-in-c4iw_alloc-error-paths.patch queue-3.15/powerpc-fix-typo-config_pmac.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html