Re: [PATCH v2] lzo: fix ip overrun during compress.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Markus F.X.J. Oberhumer" <markus@oberhumer.com>
To: dsterba@suse.cz, Yueyi Li <liyueyi@live.com>,
	"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
	"w@1wt.eu" <w@1wt.eu>,
	"donb@securitymouse.com" <donb@securitymouse.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] lzo: fix ip overrun during compress.
Date: Tue, 4 Dec 2018 11:20:30 +0100	[thread overview]
Message-ID: <5C0654EE.5040001@oberhumer.com> (raw)
In-Reply-To: <20181128135242.gy3avmbp2pdmjaka@twin.jikos.cz>

Hi,

I don't think that address space wraparound is legal in C, but I
understand that we are in kernel land and if you really want to
compress the last virtual page 0xfffffffffffff000 the following
small patch should fix that dubious case.

This also avoids slowing down the the hot path of the compression
core function.

Cheers,
Markus



diff --git a/lib/lzo/lzo1x_compress.c b/lib/lzo/lzo1x_compress.c
index 236eb21167b5..959dec45f6fe 100644
--- a/lib/lzo/lzo1x_compress.c
+++ b/lib/lzo/lzo1x_compress.c
@@ -224,8 +224,8 @@ int lzo1x_1_compress(const unsigned char *in, size_t in_len,
 
        while (l > 20) {
                size_t ll = l <= (M4_MAX_OFFSET + 1) ? l : (M4_MAX_OFFSET + 1);
-               uintptr_t ll_end = (uintptr_t) ip + ll;
-               if ((ll_end + ((t + ll) >> 5)) <= ll_end)
+               // check for address space wraparound
+               if (((uintptr_t) ip + ll + ((t + ll) >> 5)) <= (uintptr_t) ip)
                        break;
                BUILD_BUG_ON(D_SIZE * sizeof(lzo_dict_t) > LZO1X_1_MEM_COMPRESS);
                memset(wrkmem, 0, D_SIZE * sizeof(lzo_dict_t));



On 2018-11-28 14:52, David Sterba wrote:
> Adding Markus to to CC
> 
> On Wed, Nov 28, 2018 at 07:31:26AM +0000, Yueyi Li wrote:
>> It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is
>> point to the end of memory and which virtual address is 0xfffffffffffff000.
>> Leading to a NULL pointer access during the get_unaligned_le32(ip).
> 
> So this could happen in practice in zram, but unlikely for other users
> of lzo (like btrfs). I'm not sure but expect that the last page would
> not be returned by allocator.
> 
> The fix is adding a few branches to code that's supposed to be as fast
> as possible. The branches would be evaluated all the time while
> protecting against one signle bad page address. This does not look like
> a good performance tradeoff.
> 
>> +#define OVERFLOW_ADD_CHECK(a, b)  \
>> +		(((a) + (b)) < (a))
> 
> I'm not sure if this is generally safe overflow check (never not
> optimized out). Here it depends on the types of 'a' and 'b' that are
> pointer (ip) and size_t (m_len). GCC has __builtin_add_overflow_p so
> that one should be used where possible.
> 

-- 
Markus Oberhumer, <markus@oberhumer.com>, http://www.oberhumer.com/

next prev parent reply	other threads:[~2018-12-04 10:20 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-28  7:31 [PATCH v2] lzo: fix ip overrun during compress Yueyi Li
2018-11-28 13:52 ` David Sterba
2018-11-28 14:15   ` Willy Tarreau
2018-11-29 16:49   ` Dave Rodgman
2018-11-30  3:05     ` Yueyi Li
2018-11-30 12:20       ` Dave Rodgman
2018-12-03  2:46         ` Yueyi Li
2018-12-03  3:05           ` Yueyi Li
2018-12-04 10:20   ` Markus F.X.J. Oberhumer [this message]
2018-12-05  3:07     ` Yueyi Li
2018-12-06 15:03       ` Markus F.X.J. Oberhumer
2018-12-12  5:21         ` Yueyi Li
2018-12-12 12:35           ` Markus F.X.J. Oberhumer
2018-12-14 13:56             ` Richard Weinberger
2018-12-14 16:46               ` Kees Cook
2018-12-16 16:56                 ` Markus F.X.J. Oberhumer
2018-12-18  9:25                   ` Yueyi Li

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:236eb21167b dfblob:959dec45f6f )
 OR (
bs:"Re: [PATCH v2] lzo: fix ip overrun during compress." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5C0654EE.5040001@oberhumer.com \
    --to=markus@oberhumer.com \
    --cc=donb@securitymouse.com \
    --cc=dsterba@suse.cz \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liyueyi@live.com \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox