>>> On 04.07.14 at 15:01, wrote: >>>> On 04.07.14 at 08:12, Jan Beulich wrote: > >>>> On 04.07.14 at 01:11, <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > > From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > > > > > Jan points out that I forgot to make the needed fixes to the > > > lz4_uncompress_unknownoutputsize() function to mirror the changes done > > > in lz4_decompress() with regards to potential pointer overflows. > > > > Except that meanwhile Don agreed with my statement that neither > > this nor the two earlier patches really fix the issue. So rather than > > pushing this into 3.16 and stable trees, I wonder whether the two > > earlier ones shouldn't be reverted and then a clean and correct > > fix be applied. > > So here's a patch which I think adds the missing pieces. There wasn't any feedback at all so far, which I'm irritated by. Did I do anything obviously wrong without noticing myself? Jan > lz4: check for underruns > > While overruns are already being taken care of, underruns (resulting > from overflows in the respective "op + length" (or similar) operations > weren't. Fix this, allowing commits 4a3a990451, 4148c1f67a, and > 206204a116 to be reverted (perhaps apart from the return value > adjustments two of the three do). > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > --- > The patch applies correctly with or without said reverts carried out. > > --- a/lib/lz4/lz4_decompress.c > +++ b/lib/lz4/lz4_decompress.c > @@ -89,6 +89,8 @@ static int lz4_uncompress(const char *so > ip += length; > break; /* EOF */ > } > + if (unlikely((unsigned long)cpy < (unsigned long)op)) > + goto _output_error; > LZ4_WILDCOPY(ip, op, cpy); > ip -= (op - cpy); > op = cpy; > @@ -147,6 +149,8 @@ static int lz4_uncompress(const char *so > goto _output_error; > continue; > } > + if (unlikely((unsigned long)cpy < (unsigned long)op)) > + goto _output_error; > LZ4_SECURECOPY(ref, op, cpy); > op = cpy; /* correction */ > } > @@ -209,6 +213,8 @@ static int lz4_uncompress_unknownoutputs > op += length; > break;/* Necessarily EOF, due to parsing restrictions */ > } > + if (unlikely((unsigned long)cpy < (unsigned long)op)) > + goto _output_error; > LZ4_WILDCOPY(ip, op, cpy); > ip -= (op - cpy); > op = cpy; > @@ -272,6 +278,8 @@ static int lz4_uncompress_unknownoutputs > goto _output_error; > continue; > } > + if (unlikely((unsigned long)cpy < (unsigned long)op)) > + goto _output_error; > LZ4_SECURECOPY(ref, op, cpy); > op = cpy; /* correction */ > } > > > -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html