This is a note to let you know that I've just added the patch titled
lzo: properly check for overruns
to the 3.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
lzo-properly-check-for-overruns.patch
and it can be found in the queue-3.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 206a81c18401c0cde6e579164f752c4b147324ce Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <[email protected]>
Date: Fri, 20 Jun 2014 22:00:53 -0700
Subject: lzo: properly check for overruns
From: Greg Kroah-Hartman <[email protected]>
commit 206a81c18401c0cde6e579164f752c4b147324ce upstream.
The lzo decompressor can, if given some really crazy data, possibly
overrun some variable types. Modify the checking logic to properly
detect overruns before they happen.
Reported-by: "Don A. Bailey" <[email protected]>
Tested-by: "Don A. Bailey" <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
lib/lzo/lzo1x_decompress_safe.c | 62 ++++++++++++++++++++++++++--------------
1 file changed, 41 insertions(+), 21 deletions(-)
--- a/lib/lzo/lzo1x_decompress_safe.c
+++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,11 +19,31 @@
#include <linux/lzo.h>
#include "lzodefs.h"
-#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x))
-#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x))
-#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun
-#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun
-#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun
+#define HAVE_IP(t, x) \
+ (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \
+ (((t + x) >= t) && ((t + x) >= x)))
+
+#define HAVE_OP(t, x) \
+ (((size_t)(op_end - op) >= (size_t)(t + x)) && \
+ (((t + x) >= t) && ((t + x) >= x)))
+
+#define NEED_IP(t, x) \
+ do { \
+ if (!HAVE_IP(t, x)) \
+ goto input_overrun; \
+ } while (0)
+
+#define NEED_OP(t, x) \
+ do { \
+ if (!HAVE_OP(t, x)) \
+ goto output_overrun; \
+ } while (0)
+
+#define TEST_LB(m_pos) \
+ do { \
+ if ((m_pos) < out) \
+ goto lookbehind_overrun; \
+ } while (0)
int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
unsigned char *out, size_t *out_len)
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned
while (unlikely(*ip == 0)) {
t += 255;
ip++;
- NEED_IP(1);
+ NEED_IP(1, 0);
}
t += 15 + *ip++;
}
t += 3;
copy_literal_run:
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
- if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15)))
{
+ if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
const unsigned char *ie = ip + t;
unsigned char *oe = op + t;
do {
@@ -81,8 +101,8 @@ copy_literal_run:
} else
#endif
{
- NEED_OP(t);
- NEED_IP(t + 3);
+ NEED_OP(t, 0);
+ NEED_IP(t, 3);
do {
*op++ = *ip++;
} while (--t > 0);
@@ -95,7 +115,7 @@ copy_literal_run:
m_pos -= t >> 2;
m_pos -= *ip++ << 2;
TEST_LB(m_pos);
- NEED_OP(2);
+ NEED_OP(2, 0);
op[0] = m_pos[0];
op[1] = m_pos[1];
op += 2;
@@ -119,10 +139,10 @@ copy_literal_run:
while (unlikely(*ip == 0)) {
t += 255;
ip++;
- NEED_IP(1);
+ NEED_IP(1, 0);
}
t += 31 + *ip++;
- NEED_IP(2);
+ NEED_IP(2, 0);
}
m_pos = op - 1;
next = get_unaligned_le16(ip);
@@ -137,10 +157,10 @@ copy_literal_run:
while (unlikely(*ip == 0)) {
t += 255;
ip++;
- NEED_IP(1);
+ NEED_IP(1, 0);
}
t += 7 + *ip++;
- NEED_IP(2);
+ NEED_IP(2, 0);
}
next = get_unaligned_le16(ip);
ip += 2;
@@ -154,7 +174,7 @@ copy_literal_run:
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
if (op - m_pos >= 8) {
unsigned char *oe = op + t;
- if (likely(HAVE_OP(t + 15))) {
+ if (likely(HAVE_OP(t, 15))) {
do {
COPY8(op, m_pos);
op += 8;
@@ -164,7 +184,7 @@ copy_literal_run:
m_pos += 8;
} while (op < oe);
op = oe;
- if (HAVE_IP(6)) {
+ if (HAVE_IP(6, 0)) {
state = next;
COPY4(op, ip);
op += next;
@@ -172,7 +192,7 @@ copy_literal_run:
continue;
}
} else {
- NEED_OP(t);
+ NEED_OP(t, 0);
do {
*op++ = *m_pos++;
} while (op < oe);
@@ -181,7 +201,7 @@ copy_literal_run:
#endif
{
unsigned char *oe = op + t;
- NEED_OP(t);
+ NEED_OP(t, 0);
op[0] = m_pos[0];
op[1] = m_pos[1];
op += 2;
@@ -194,15 +214,15 @@ match_next:
state = next;
t = next;
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
- if (likely(HAVE_IP(6) && HAVE_OP(4))) {
+ if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
COPY4(op, ip);
op += t;
ip += t;
} else
#endif
{
- NEED_IP(t + 3);
- NEED_OP(t);
+ NEED_IP(t, 3);
+ NEED_OP(t, 0);
while (t > 0) {
*op++ = *ip++;
t--;
Patches currently in stable-queue which might be from
[email protected] are
queue-3.4/lib-lzo-update-lzo-compression-to-current-upstream-version.patch
queue-3.4/usb-cdc-acm-fix-i-o-after-failed-open.patch
queue-3.4/net-tunnels-enable-module-autoloading.patch
queue-3.4/net-mlx4_core-preserve-pci_dev_data-after-__mlx4_remove_one.patch
queue-3.4/usb-cdc-acm-fix-write-and-resume-race.patch
queue-3.4/usb-cdc-acm-fix-runtime-pm-for-control-messages.patch
queue-3.4/netlink-rate-limit-leftover-bytes-warning-and-print-process-name.patch
queue-3.4/usb-cdc-acm-fix-broken-runtime-suspend.patch
queue-3.4/lib-lzo-rename-lzo1x_decompress.c-to-lzo1x_decompress_safe.c.patch
queue-3.4/alsa-control-protect-user-controls-against-concurrent-access.patch
queue-3.4/sctp-fix-sk_ack_backlog-wrap-around-problem.patch
queue-3.4/team-fix-mtu-setting.patch
queue-3.4/net-fix-inet_getid-and-ipv6_select_ident-bugs.patch
queue-3.4/evm-prohibit-userspace-writing-security.evm-hmac-value.patch
queue-3.4/alsa-hda-realtek-add-support-of-alc891-codec.patch
queue-3.4/usb-cdc-acm-fix-runtime-pm-imbalance-at-shutdown.patch
queue-3.4/usb-cdc-acm-fix-shutdown-and-suspend-race.patch
queue-3.4/mlx4_core-stash-pci-id-driver_data-in-mlx4_priv-structure.patch
queue-3.4/nohz-fix-another-inconsistency-between-config_no_hz-n-and-nohz-off.patch
queue-3.4/alsa-control-don-t-access-controls-outside-of-protected-regions.patch
queue-3.4/alsa-control-fix-replacing-user-controls.patch
queue-3.4/alsa-control-make-sure-that-id-index-does-not-overflow.patch
queue-3.4/iscsi-target-reject-mutual-authentication-with-reflected-chap_c.patch
queue-3.4/usb-cdc-acm-fix-write-and-suspend-race.patch
queue-3.4/lzo-properly-check-for-overruns.patch
queue-3.4/alsa-control-handle-numid-overflow.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
