Re: [PATCH 2/2] lz4 overflow bug

From: Andrei Borzenkov <arvidjaar@gmail.com>
To: Toomas Soome <tsoome@me.com>
Cc: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: [PATCH 2/2] lz4 overflow bug
Date: Thu, 16 Apr 2015 08:07:01 +0300	[thread overview]
Message-ID: <20150416080701.20fb21c3@opensuse.site> (raw)
In-Reply-To: <FD5FFE6F-3922-4BF3-9A04-C06A4CD9029A@me.com>

В Thu, 16 Apr 2015 07:51:50 +0300
Toomas Soome <tsoome@me.com> пишет:

> 
> > On 16.04.2015, at 7:20, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
> > 
> > В Wed, 15 Apr 2015 23:51:16 +0300
> > Toomas Soome <tsoome@me.com> пишет:
> > 
> >> 
> >> hi!
> >> 
> >> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.
> > 
> > You mean "length"? Or do you really mean pointer overflow?
> > 
> > Anyway in both cases it seems more reasonable to check when length is
> > computed, not after overflow, when it is already too late.
> 
> integer overflow.  from 0xFFFFFFFF to 0x0.

signed integer overflow is undefined behavior in C. It is too late to
check for it after it happened.

> 
> > 
> >> 
> >> ---
> >> grub-core/fs/zfs/zfs_lz4.c |    2 ++
> >> 1 file changed, 2 insertions(+)
> >> 
> >> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> >> index 1212a89..ca6445d 100644
> >> --- a/grub-core/fs/zfs/zfs_lz4.c
> >> +++ b/grub-core/fs/zfs/zfs_lz4.c
> >> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
> >> 		}
> >> 		/* copy literals */
> >> 		cpy = op + length;
> >> +		if (cpy < op)
> >> +			goto _output_error;
> >> 		if ((cpy > oend - COPYLENGTH) ||
> >> 		    (ip + length > iend - COPYLENGTH)) {
> >> 			if (cpy > oend)
> > 
> > 
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel