From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89466C05027 for ; Thu, 9 Feb 2023 11:26:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231431AbjBIL0x (ORCPT ); Thu, 9 Feb 2023 06:26:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59894 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231444AbjBIL0J (ORCPT ); Thu, 9 Feb 2023 06:26:09 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB1166564E; Thu, 9 Feb 2023 03:20:17 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 22769B81FFE; Thu, 9 Feb 2023 11:19:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9E69C433D2; Thu, 9 Feb 2023 11:19:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1675941556; bh=0ZhHcDlgcocBheep5X0PxegUrdqJnTELyJRkH/kLBu8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YBhUz+8LLy6pLgVfzwg8SgklivRmmuQrXpmpSsGh7QY1bDl+UoYOC4mMX7y6IUA5t 2cQXJ6z7csidVKTiuSbjgbPWfuyRSFWL6V3Q55dxWTiW6H1E6QmY1itUy67ijUdxtv 7iovKUx9lRccpM3KfhqrRd+itFxVQFSQTUlK7YhPOmH2jQ5aoHI9o4DEa7D8/S//LR KSGtdeNYC/qFrxSbcrasiMeCpoZbj70VgSP0yyI2UX0C7VKYH7Hpt/cGRxwPh9c3fa 4WrcAMbFeT3EW+7mJC0vU7/zf1QBRHeHHa1j9wXr+jZH/2iLRKPR0WhQpBiJIUQy6Z OmRCSYJW7zBag== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Vasily Gorbik , Alexander Egorenkov , Heiko Carstens , Sasha Levin , agordeev@linux.ibm.com, terrelln@fb.com, linux-s390@vger.kernel.org Subject: [PATCH AUTOSEL 5.10 11/13] s390/decompressor: specify __decompress() buf len to avoid overflow Date: Thu, 9 Feb 2023 06:18:29 -0500 Message-Id: <20230209111833.1892896-11-sashal@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230209111833.1892896-1-sashal@kernel.org> References: <20230209111833.1892896-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vasily Gorbik [ Upstream commit 7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b ] Historically calls to __decompress() didn't specify "out_len" parameter on many architectures including s390, expecting that no writes beyond uncompressed kernel image are performed. This has changed since commit 2aa14b1ab2c4 ("zstd: import usptream v1.5.2") which includes zstd library commit 6a7ede3dfccb ("Reduce size of dctx by reutilizing dst buffer (#2751)"). Now zstd decompression code might store literal buffer in the unwritten portion of the destination buffer. Since "out_len" is not set, it is considered to be unlimited and hence free to use for optimization needs. On s390 this might corrupt initrd or ipl report which are often placed right after the decompressor buffer. Luckily the size of uncompressed kernel image is already known to the decompressor, so to avoid the problem simply specify it in the "out_len" parameter. Link: https://github.com/facebook/zstd/commit/6a7ede3dfccb Signed-off-by: Vasily Gorbik Tested-by: Alexander Egorenkov Link: https://lore.kernel.org/r/patch-1.thread-41c676.git-41c676c2d153.your-ad-here.call-01675030179-ext-9637@work.hours Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin --- arch/s390/boot/compressed/decompressor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/s390/boot/compressed/decompressor.c b/arch/s390/boot/compressed/decompressor.c index 3061b11c4d27f..8eaa1712a1c8d 100644 --- a/arch/s390/boot/compressed/decompressor.c +++ b/arch/s390/boot/compressed/decompressor.c @@ -79,6 +79,6 @@ void *decompress_kernel(void) void *output = (void *)decompress_offset; __decompress(_compressed_start, _compressed_end - _compressed_start, - NULL, NULL, output, 0, NULL, error); + NULL, NULL, output, vmlinux.image_size, NULL, error); return output; } -- 2.39.0