Patch "lz4: add overrun checks to lz4_uncompress_unknownoutputsize()" has been added to the 3.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    lz4: add overrun checks to lz4_uncompress_unknownoutputsize()

to the 3.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     lz4-add-overrun-checks-to-lz4_uncompress_unknownoutputsize.patch
and it can be found in the queue-3.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 4a3a99045177369700c60d074c0e525e8093b0fc Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 3 Jul 2014 16:06:57 -0700
Subject: lz4: add overrun checks to lz4_uncompress_unknownoutputsize()

From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

commit 4a3a99045177369700c60d074c0e525e8093b0fc upstream.

Jan points out that I forgot to make the needed fixes to the
lz4_uncompress_unknownoutputsize() function to mirror the changes done
in lz4_decompress() with regards to potential pointer overflows.

The only in-kernel user of this function is the zram code, which only
takes data from a valid compressed buffer that it made itself, so it's
not a big issue.  But due to external kernel modules using this
function, it's better to be safe here.

Reported-by: Jan Beulich <JBeulich@xxxxxxxx>
Cc: "Don A. Bailey" <donb@xxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 lib/lz4/lz4_decompress.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputs
 			int s = 255;
 			while ((ip < iend) && (s == 255)) {
 				s = *ip++;
+				if (unlikely(length > (size_t)(length + s)))
+					goto _output_error;
 				length += s;
 			}
 		}
@@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputs
 		if (length == ML_MASK) {
 			while (ip < iend) {
 				int s = *ip++;
+				if (unlikely(length > (size_t)(length + s)))
+					goto _output_error;
 				length += s;
 				if (s == 255)
 					continue;
@@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputs
 
 	/* write overflow error detected */
 _output_error:
-	return (int) (-(((char *) ip) - source));
+	return -1;
 }
 
 int lz4_decompress(const unsigned char *src, size_t *src_len,


Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are

queue-3.15/ib-umad-fix-error-handling.patch
queue-3.15/powerpc-fix-typo-config_ppc_cpu.patch
queue-3.15/xfs-xfs_readsb-needs-to-check-for-magic-numbers.patch
queue-3.15/pci-add-new-id-for-intel-gpu-spurious-interrupt-quirk.patch
queue-3.15/hpsa-add-new-smart-array-pci-ids-may-2014.patch
queue-3.15/mips-msc-prevent-out-of-bounds-writes-to-mips-sc-ioremap-d-region.patch
queue-3.15/rdma-cxgb4-add-missing-padding-at-end-of-struct-c4iw_alloc_ucontext_resp.patch
queue-3.15/powerpc-perf-ensure-all-ebb-register-state-is-cleared-on-fork.patch
queue-3.15/mips-kvm-remove-redundant-null-checks-before-kfree.patch
queue-3.15/mtip32xx-increase-timeout-for-standby-immediate-command.patch
queue-3.15/nfsd4-fix-free_stateid-lockowner-leak.patch
queue-3.15/nfs-fix-cache_validity-check-in-nfs_write_pageuptodate.patch
queue-3.15/mtip32xx-remove-dfs_parent-after-pci-unregister.patch
queue-3.15/ubifs-remove-incorrect-assertion-in-shrink_tnc.patch
queue-3.15/powernv-fix-permissions-on-sysparam-sysfs-entries.patch
queue-3.15/nfsd-getattr-for-fattr4_word0_files_avail-needs-the-statfs-buffer.patch
queue-3.15/cpufreq-ppc-corenet-cpu-freq-do_div-use-quotient.patch
queue-3.15/iscsi-target-avoid-rejecting-incorrect-itt-for-data-out.patch
queue-3.15/input-synaptics-fix-resolution-for-manually-provided-min-max.patch
queue-3.15/target-fix-left-over-se_lun-lun_sep-pointer-oops.patch
queue-3.15/ib-umad-fix-use-after-free-on-close.patch
queue-3.15/ib-ipath-translate-legacy-diagpkt-into-newer-extended-diagpkt.patch
queue-3.15/ib-srp-fix-a-sporadic-crash-triggered-by-cable-pulling.patch
queue-3.15/iscsi-target-explicily-clear-login-response-pdu-in-exception-path.patch
queue-3.15/ubifs-fix-an-mmap-and-fsync-race-condition.patch
queue-3.15/rdma-cxgb4-add-missing-padding-at-end-of-struct-c4iw_create_cq_resp.patch
queue-3.15/revert-mips-save-restore-msa-context-around-signals.patch
queue-3.15/pci-fix-incorrect-vgaarb-conditional-in-warn_on.patch
queue-3.15/lz4-add-overrun-checks-to-lz4_uncompress_unknownoutputsize.patch
queue-3.15/powerpc-don-t-skip-epapr-spin-table-cpus.patch
queue-3.15/recordmcount-mips-fix-possible-incorrect-mcount_loc-table-entries-in-modules.patch
queue-3.15/ib-mlx5-add-missing-padding-at-end-of-struct-mlx5_ib_create_srq.patch
queue-3.15/input-elantech-don-t-set-bit-1-of-reg_10-when-the-no_hw_res-quirk-is-set.patch
queue-3.15/powerpc-add-at_hwcap2-to-indicate-v.crypto-category-support.patch
queue-3.15/powerpc-mm-check-paca-psize-is-up-to-date-for-huge-mappings.patch
queue-3.15/cpufreq-unlock-when-failing-cpufreq_update_policy.patch
queue-3.15/ib-qib-fix-port-in-pkey-change-event.patch
queue-3.15/watchdog-kempld-wdt-use-the-correct-value-when-configuring-the-prescaler-with-the-watchdog.patch
queue-3.15/kernel-watchdog.c-remove-preemption-restrictions-when-restarting-lockup-detector.patch
queue-3.15/powerpc-pseries-fix-overwritten-pe-state.patch
queue-3.15/ptrace-x86-force-iret-path-after-a-ptrace_stop.patch
queue-3.15/nfs-populate-net-in-mount-data-when-remounting.patch
queue-3.15/pnfs-handle-allocation-errors-correctly-in-filelayout_alloc_layout_hdr.patch
queue-3.15/input-elantech-deal-with-clickpads-reporting-right-button-events.patch
queue-3.15/powerpc-don-t-setup-cpus-with-bad-status.patch
queue-3.15/nfs-use-raw_write_seqcount_begin-end-int-nfs4_reclaim_open_state.patch
queue-3.15/watchdog-ath79_wdt-avoid-spurious-restarts-on-ar934x.patch
queue-3.15/sunrpc-fix-a-module-reference-leak-in-svc_handle_xprt.patch
queue-3.15/nfs-don-t-declare-inode-uptodate-unless-all-attributes-were-checked.patch
queue-3.15/iscsi-target-fix-iscsit_del_np-deadlock-on-unload.patch
queue-3.15/powerpc-64bit-sendfile-is-capped-at-2gb.patch
queue-3.15/reiserfs-call-truncate_setsize-under-tailpack-mutex.patch
queue-3.15/ib-mlx5-add-missing-padding-at-end-of-struct-mlx5_ib_create_cq.patch
queue-3.15/mtip32xx-fix-ero-and-nosnoop-values-in-pcie-upstream-on-amd-systems.patch
queue-3.15/mips-kvm-fix-memory-leak-on-vcpu.patch
queue-3.15/powerpc-serial-use-saner-flags-when-creating-legacy-ports.patch
queue-3.15/watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch
queue-3.15/rdma-cxgb4-fix-memory-leaks-in-c4iw_alloc-error-paths.patch
queue-3.15/powerpc-fix-typo-config_pmac.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]