From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1YikGW-0007cH-3U
	for mharc-grub-devel@gnu.org; Thu, 16 Apr 2015 09:55:36 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60421)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1Yic17-0004TS-7B
	for grub-devel@gnu.org; Thu, 16 Apr 2015 01:07:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1Yic12-00085W-OF
	for grub-devel@gnu.org; Thu, 16 Apr 2015 01:07:09 -0400
Received: from mail-la0-x231.google.com ([2a00:1450:4010:c03::231]:36240)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1Yic12-000858-Em
	for grub-devel@gnu.org; Thu, 16 Apr 2015 01:07:04 -0400
Received: by lagv1 with SMTP id v1so48210923lag.3
	for <grub-devel@gnu.org>; Wed, 15 Apr 2015 22:07:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=date:from:to:cc:subject:message-id:in-reply-to:references
	:mime-version:content-type:content-transfer-encoding;
	bh=x1K9f+P2bRkrzz9CZeGdzN1wZsHSkYn7yG/DVz7SOxo=;
	b=Hy4vif3F89pzxT8jHjs9K9Ac7LBncaM02bnV38icaeXYrnUusYFCra3psq7zp+kVC1
	Hoj08DNQG57IVy6zsP0Pg1eoc6FiRuH/46iFGE0Lot2UDSwR0ewSXZPL3Cb0st0F+SOG
	EGN5ZLAsnJMIav0z47t33SFNbxq/P7AUEp1+uo+xCVXfV7GMNSsCBMEsTCayYr1oC0DL
	7lY5Of8Dms5E6VmXjLwnasLBxHRfRsExQr8qYvY5EY+ZujxLFx5IfLlBgggXVTRVSSX+
	LwhLOMcdnba53tKcxhGJtuwebR2/jwXxz6r8z6X/dXVmV8tpjwE+CfdPBl369imxXF5+
	Yicg==
X-Received: by 10.152.43.201 with SMTP id y9mr26886419lal.25.1429160823717;
	Wed, 15 Apr 2015 22:07:03 -0700 (PDT)
Received: from opensuse.site (ppp91-76-14-38.pppoe.mtu-net.ru. [91.76.14.38])
	by mx.google.com with ESMTPSA id
	cb5sm1394050lad.21.2015.04.15.22.07.02
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 15 Apr 2015 22:07:02 -0700 (PDT)
Date: Thu, 16 Apr 2015 08:07:01 +0300
From: Andrei Borzenkov <arvidjaar@gmail.com>
To: Toomas Soome <tsoome@me.com>
Subject: Re: [PATCH 2/2] lz4 overflow bug
Message-ID: <20150416080701.20fb21c3@opensuse.site>
In-Reply-To: <FD5FFE6F-3922-4BF3-9A04-C06A4CD9029A@me.com>
References: <8D975920-FC91-4FB5-8707-90A40BDB74B1@me.com>
	<20150416072001.736b679a@opensuse.site>
	<FD5FFE6F-3922-4BF3-9A04-C06A4CD9029A@me.com>
X-Mailer: Claws Mail 3.11.0 (GTK+ 2.24.27; x86_64-suse-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a00:1450:4010:c03::231
Cc: The development of GNU GRUB <grub-devel@gnu.org>
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 05:07:10 -0000

=D0=92 Thu, 16 Apr 2015 07:51:50 +0300
Toomas Soome <tsoome@me.com> =D0=BF=D0=B8=D1=88=D0=B5=D1=82:

>=20
> > On 16.04.2015, at 7:20, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
> >=20
> > =D0=92 Wed, 15 Apr 2015 23:51:16 +0300
> > Toomas Soome <tsoome@me.com> =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> >=20
> >>=20
> >> hi!
> >>=20
> >> yep, this old bug is not fixed in grub. cpy can (theoretically?) overf=
low.
> >=20
> > You mean "length"? Or do you really mean pointer overflow?
> >=20
> > Anyway in both cases it seems more reasonable to check when length is
> > computed, not after overflow, when it is already too late.
>=20
> integer overflow.  from 0xFFFFFFFF to 0x0.

signed integer overflow is undefined behavior in C. It is too late to
check for it after it happened.

>=20
> >=20
> >>=20
> >> ---
> >> grub-core/fs/zfs/zfs_lz4.c |    2 ++
> >> 1 file changed, 2 insertions(+)
> >>=20
> >> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> >> index 1212a89..ca6445d 100644
> >> --- a/grub-core/fs/zfs/zfs_lz4.c
> >> +++ b/grub-core/fs/zfs/zfs_lz4.c
> >> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *sourc=
e,
> >> 		}
> >> 		/* copy literals */
> >> 		cpy =3D op + length;
> >> +		if (cpy < op)
> >> +			goto _output_error;
> >> 		if ((cpy > oend - COPYLENGTH) ||
> >> 		    (ip + length > iend - COPYLENGTH)) {
> >> 			if (cpy > oend)
> >=20
> >=20
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
>=20
>=20
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel