From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: [PATCH] LZ4 : fix the data abort issue
Date: Wed, 25 Mar 2015 16:32:51 +0000
Message-ID: <1427301171.10784.95.camel@citrix.com>
References: <5512ECDC020000780006D8DB@mail.emea.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <Ian.Campbell@citrix.com>) id 1YaoLS-0006l6-Lv
	for xen-devel@lists.xenproject.org; Wed, 25 Mar 2015 16:39:54 +0000
In-Reply-To: <5512ECDC020000780006D8DB@mail.emea.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>
Cc: tom.yeon@windriver.com, xen-devel <xen-devel@lists.xenproject.org>, Keir Fraser <keir@xen.org>, Ian Jackson <Ian.Jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>
List-Id: xen-devel@lists.xenproject.org

On Wed, 2015-03-25 at 16:14 +0000, Jan Beulich wrote:
> If the part of the compression data are corrupted, or the compression
> data is totally fake, the memory access over the limit is possible.
> 
> This is the log from my system usning lz4 decompression.
>    [6502]data abort, halting
>    [6503]r0  0x00000000 r1  0x00000000 r2  0xdcea0ffc r3  0xdcea0ffc
>    [6509]r4  0xb9ab0bfd r5  0xdcea0ffc r6  0xdcea0ff8 r7  0xdce80000
>    [6515]r8  0x00000000 r9  0x00000000 r10 0x00000000 r11 0xb9a98000
>    [6522]r12 0xdcea1000 usp 0x00000000 ulr 0x00000000 pc  0x820149bc
>    [6528]spsr 0x400001f3
> and the memory addresses of some variables at the moment are
>     ref:0xdcea0ffc, op:0xdcea0ffc, oend:0xdcea1000
> 
> As you can see, COPYLENGH is 8bytes, so @ref and @op can access the momory
> over @oend.
> 
> Signed-off-by: JeHyeon Yeon <tom.yeon@windriver.com>
> Reviewed-by: David Sterba <dsterba@suse.cz>
> [Linux commit d5e7cafd69da24e6d6cc988fab6ea313a2577efc]
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Acked-by: Ian Campbell <ian.campbell@citrix.com>

> 
> --- a/xen/common/lz4/decompress.c
> +++ b/xen/common/lz4/decompress.c
> @@ -132,6 +132,9 @@ static int INIT lz4_uncompress(const uns
>  			/* Error: request to write beyond destination buffer */
>  			if (cpy > oend)
>  				goto _output_error;
> +			if ((ref + COPYLENGTH) > oend ||
> +					(op + COPYLENGTH) > oend)
> +				goto _output_error;
>  			LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH));
>  			while (op < cpy)
>  				*op++ = *ref++;
> 
> 
>