[PATCH 2/2] lz4 overflow bug

[PATCH 2/2] lz4 overflow bug

[Toomas Soome]

hi!

yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.

---
 grub-core/fs/zfs/zfs_lz4.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
index 1212a89..ca6445d 100644
--- a/grub-core/fs/zfs/zfs_lz4.c
+++ b/grub-core/fs/zfs/zfs_lz4.c
@@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
 		}
 		/* copy literals */
 		cpy = op + length;
+		if (cpy < op)
+			goto _output_error;
 		if ((cpy > oend - COPYLENGTH) ||
 		    (ip + length > iend - COPYLENGTH)) {
 			if (cpy > oend)
-- 
1.7.9.2

Re: [PATCH 2/2] lz4 overflow bug

[Andrei Borzenkov]

В Wed, 15 Apr 2015 23:51:16 +0300
Toomas Soome <tsoome@me.com> пишет:

> 
> hi!
> 
> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.

You mean "length"? Or do you really mean pointer overflow?

Anyway in both cases it seems more reasonable to check when length is
computed, not after overflow, when it is already too late.

> 
> ---
>  grub-core/fs/zfs/zfs_lz4.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> index 1212a89..ca6445d 100644
> --- a/grub-core/fs/zfs/zfs_lz4.c
> +++ b/grub-core/fs/zfs/zfs_lz4.c
> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
>  		}
>  		/* copy literals */
>  		cpy = op + length;
> +		if (cpy < op)
> +			goto _output_error;
>  		if ((cpy > oend - COPYLENGTH) ||
>  		    (ip + length > iend - COPYLENGTH)) {
>  			if (cpy > oend)

Re: [PATCH 2/2] lz4 overflow bug

[Toomas Soome]

> On 16.04.2015, at 7:20, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
> 
> В Wed, 15 Apr 2015 23:51:16 +0300
> Toomas Soome <tsoome@me.com> пишет:
> 
>> 
>> hi!
>> 
>> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.
> 
> You mean "length"? Or do you really mean pointer overflow?
> 
> Anyway in both cases it seems more reasonable to check when length is
> computed, not after overflow, when it is already too late.

integer overflow.  from 0xFFFFFFFF to 0x0.

> 
>> 
>> ---
>> grub-core/fs/zfs/zfs_lz4.c |    2 ++
>> 1 file changed, 2 insertions(+)
>> 
>> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
>> index 1212a89..ca6445d 100644
>> --- a/grub-core/fs/zfs/zfs_lz4.c
>> +++ b/grub-core/fs/zfs/zfs_lz4.c
>> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
>> 		}
>> 		/* copy literals */
>> 		cpy = op + length;
>> +		if (cpy < op)
>> +			goto _output_error;
>> 		if ((cpy > oend - COPYLENGTH) ||
>> 		    (ip + length > iend - COPYLENGTH)) {
>> 			if (cpy > oend)
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH 2/2] lz4 overflow bug

[Andrei Borzenkov]

В Thu, 16 Apr 2015 07:51:50 +0300
Toomas Soome <tsoome@me.com> пишет:

> 
> > On 16.04.2015, at 7:20, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
> > 
> > В Wed, 15 Apr 2015 23:51:16 +0300
> > Toomas Soome <tsoome@me.com> пишет:
> > 
> >> 
> >> hi!
> >> 
> >> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.
> > 
> > You mean "length"? Or do you really mean pointer overflow?
> > 
> > Anyway in both cases it seems more reasonable to check when length is
> > computed, not after overflow, when it is already too late.
> 
> integer overflow.  from 0xFFFFFFFF to 0x0.

signed integer overflow is undefined behavior in C. It is too late to
check for it after it happened.

> 
> > 
> >> 
> >> ---
> >> grub-core/fs/zfs/zfs_lz4.c |    2 ++
> >> 1 file changed, 2 insertions(+)
> >> 
> >> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> >> index 1212a89..ca6445d 100644
> >> --- a/grub-core/fs/zfs/zfs_lz4.c
> >> +++ b/grub-core/fs/zfs/zfs_lz4.c
> >> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
> >> 		}
> >> 		/* copy literals */
> >> 		cpy = op + length;
> >> +		if (cpy < op)
> >> +			goto _output_error;
> >> 		if ((cpy > oend - COPYLENGTH) ||
> >> 		    (ip + length > iend - COPYLENGTH)) {
> >> 			if (cpy > oend)
> > 
> > 
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel