From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1YikGP-0007Zj-Cc
	for mharc-grub-devel@gnu.org; Thu, 16 Apr 2015 09:55:29 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54836)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1YibHd-0000tx-A9
	for grub-devel@gnu.org; Thu, 16 Apr 2015 00:20:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1YibHa-0003Zn-2c
	for grub-devel@gnu.org; Thu, 16 Apr 2015 00:20:09 -0400
Received: from mail-la0-x235.google.com ([2a00:1450:4010:c03::235]:34913)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1YibHZ-0003XY-RM
	for grub-devel@gnu.org; Thu, 16 Apr 2015 00:20:06 -0400
Received: by labbd9 with SMTP id bd9so47710543lab.2
	for <grub-devel@gnu.org>; Wed, 15 Apr 2015 21:20:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=date:from:to:cc:subject:message-id:in-reply-to:references
	:mime-version:content-type:content-transfer-encoding;
	bh=VR+BpcuE4yn3p88liw7rgU8yuRAgTyUg6IIPvbXdw54=;
	b=ugfx32l26ovQz7ru/RGpzfgQj2B/gy6Zg4WXgy3omBjJAW2zhbDef0hhwPv35QJxkT
	4VD/oxpeCvsHQmNhTXLjoa8CeUJsIM0GX4Z+zLfjoap9AdTAYhER4SotIP7giF0T54rv
	ddO5XxZ1cU8PSxnJiSJRfC5GcBseqv0/QIn67SDE+JftXJ2EqiZ3Ucg1m0PQwKK79yBJ
	QlPJd++1zSzys0qpKgavz/fVtDqDScNKQagcwFBAbYXS34Qgao0HGiAJr5oxnoZK4AKN
	xiquCo2By3YObUpZBvxsH2a6UEJosgQ1zxB50nYLHaEvqCEqa6U6JvTPRzfh+0phql9Q
	rhzw==
X-Received: by 10.152.7.209 with SMTP id l17mr27103664laa.100.1429158004861;
	Wed, 15 Apr 2015 21:20:04 -0700 (PDT)
Received: from opensuse.site (ppp91-76-14-38.pppoe.mtu-net.ru. [91.76.14.38])
	by mx.google.com with ESMTPSA id
	uf11sm1374730lac.11.2015.04.15.21.20.03
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 15 Apr 2015 21:20:04 -0700 (PDT)
Date: Thu, 16 Apr 2015 07:20:01 +0300
From: Andrei Borzenkov <arvidjaar@gmail.com>
To: Toomas Soome <tsoome@me.com>
Subject: Re: [PATCH 2/2] lz4 overflow bug
Message-ID: <20150416072001.736b679a@opensuse.site>
In-Reply-To: <8D975920-FC91-4FB5-8707-90A40BDB74B1@me.com>
References: <8D975920-FC91-4FB5-8707-90A40BDB74B1@me.com>
X-Mailer: Claws Mail 3.11.0 (GTK+ 2.24.27; x86_64-suse-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a00:1450:4010:c03::235
Cc: The development of GNU GRUB <grub-devel@gnu.org>
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 04:20:10 -0000

=D0=92 Wed, 15 Apr 2015 23:51:16 +0300
Toomas Soome <tsoome@me.com> =D0=BF=D0=B8=D1=88=D0=B5=D1=82:

>=20
> hi!
>=20
> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.

You mean "length"? Or do you really mean pointer overflow?

Anyway in both cases it seems more reasonable to check when length is
computed, not after overflow, when it is already too late.

>=20
> ---
>  grub-core/fs/zfs/zfs_lz4.c |    2 ++
>  1 file changed, 2 insertions(+)
>=20
> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> index 1212a89..ca6445d 100644
> --- a/grub-core/fs/zfs/zfs_lz4.c
> +++ b/grub-core/fs/zfs/zfs_lz4.c
> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
>  		}
>  		/* copy literals */
>  		cpy =3D op + length;
> +		if (cpy < op)
> +			goto _output_error;
>  		if ((cpy > oend - COPYLENGTH) ||
>  		    (ip + length > iend - COPYLENGTH)) {
>  			if (cpy > oend)