[PATCH 3.4 26/26] lzo: properly check for overruns

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, "Don A. Bailey" <donb@securitymouse.com>
Subject: [PATCH 3.4 26/26] lzo: properly check for overruns
Date: Tue, 24 Jun 2014 11:50:49 -0400	[thread overview]
Message-ID: <20140624154620.731380954@linuxfoundation.org> (raw)
In-Reply-To: <20140624154619.499002156@linuxfoundation.org>

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 206a81c18401c0cde6e579164f752c4b147324ce upstream.

The lzo decompressor can, if given some really crazy data, possibly
overrun some variable types.  Modify the checking logic to properly
detect overruns before they happen.

Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Tested-by: "Don A. Bailey" <donb@securitymouse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/lzo/lzo1x_decompress_safe.c |   62 ++++++++++++++++++++++++++--------------
 1 file changed, 41 insertions(+), 21 deletions(-)

--- a/lib/lzo/lzo1x_decompress_safe.c
+++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,11 +19,31 @@
 #include <linux/lzo.h>
 #include "lzodefs.h"
 
-#define HAVE_IP(x)      ((size_t)(ip_end - ip) >= (size_t)(x))
-#define HAVE_OP(x)      ((size_t)(op_end - op) >= (size_t)(x))
-#define NEED_IP(x)      if (!HAVE_IP(x)) goto input_overrun
-#define NEED_OP(x)      if (!HAVE_OP(x)) goto output_overrun
-#define TEST_LB(m_pos)  if ((m_pos) < out) goto lookbehind_overrun
+#define HAVE_IP(t, x)					\
+	(((size_t)(ip_end - ip) >= (size_t)(t + x)) &&	\
+	 (((t + x) >= t) && ((t + x) >= x)))
+
+#define HAVE_OP(t, x)					\
+	(((size_t)(op_end - op) >= (size_t)(t + x)) &&	\
+	 (((t + x) >= t) && ((t + x) >= x)))
+
+#define NEED_IP(t, x)					\
+	do {						\
+		if (!HAVE_IP(t, x))			\
+			goto input_overrun;		\
+	} while (0)
+
+#define NEED_OP(t, x)					\
+	do {						\
+		if (!HAVE_OP(t, x))			\
+			goto output_overrun;		\
+	} while (0)
+
+#define TEST_LB(m_pos)					\
+	do {						\
+		if ((m_pos) < out)			\
+			goto lookbehind_overrun;	\
+	} while (0)
 
 int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
 			  unsigned char *out, size_t *out_len)
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned
 					while (unlikely(*ip == 0)) {
 						t += 255;
 						ip++;
-						NEED_IP(1);
+						NEED_IP(1, 0);
 					}
 					t += 15 + *ip++;
 				}
 				t += 3;
 copy_literal_run:
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-				if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
+				if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
 					const unsigned char *ie = ip + t;
 					unsigned char *oe = op + t;
 					do {
@@ -81,8 +101,8 @@ copy_literal_run:
 				} else
 #endif
 				{
-					NEED_OP(t);
-					NEED_IP(t + 3);
+					NEED_OP(t, 0);
+					NEED_IP(t, 3);
 					do {
 						*op++ = *ip++;
 					} while (--t > 0);
@@ -95,7 +115,7 @@ copy_literal_run:
 				m_pos -= t >> 2;
 				m_pos -= *ip++ << 2;
 				TEST_LB(m_pos);
-				NEED_OP(2);
+				NEED_OP(2, 0);
 				op[0] = m_pos[0];
 				op[1] = m_pos[1];
 				op += 2;
@@ -119,10 +139,10 @@ copy_literal_run:
 				while (unlikely(*ip == 0)) {
 					t += 255;
 					ip++;
-					NEED_IP(1);
+					NEED_IP(1, 0);
 				}
 				t += 31 + *ip++;
-				NEED_IP(2);
+				NEED_IP(2, 0);
 			}
 			m_pos = op - 1;
 			next = get_unaligned_le16(ip);
@@ -137,10 +157,10 @@ copy_literal_run:
 				while (unlikely(*ip == 0)) {
 					t += 255;
 					ip++;
-					NEED_IP(1);
+					NEED_IP(1, 0);
 				}
 				t += 7 + *ip++;
-				NEED_IP(2);
+				NEED_IP(2, 0);
 			}
 			next = get_unaligned_le16(ip);
 			ip += 2;
@@ -154,7 +174,7 @@ copy_literal_run:
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
 		if (op - m_pos >= 8) {
 			unsigned char *oe = op + t;
-			if (likely(HAVE_OP(t + 15))) {
+			if (likely(HAVE_OP(t, 15))) {
 				do {
 					COPY8(op, m_pos);
 					op += 8;
@@ -164,7 +184,7 @@ copy_literal_run:
 					m_pos += 8;
 				} while (op < oe);
 				op = oe;
-				if (HAVE_IP(6)) {
+				if (HAVE_IP(6, 0)) {
 					state = next;
 					COPY4(op, ip);
 					op += next;
@@ -172,7 +192,7 @@ copy_literal_run:
 					continue;
 				}
 			} else {
-				NEED_OP(t);
+				NEED_OP(t, 0);
 				do {
 					*op++ = *m_pos++;
 				} while (op < oe);
@@ -181,7 +201,7 @@ copy_literal_run:
 #endif
 		{
 			unsigned char *oe = op + t;
-			NEED_OP(t);
+			NEED_OP(t, 0);
 			op[0] = m_pos[0];
 			op[1] = m_pos[1];
 			op += 2;
@@ -194,15 +214,15 @@ match_next:
 		state = next;
 		t = next;
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-		if (likely(HAVE_IP(6) && HAVE_OP(4))) {
+		if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
 			COPY4(op, ip);
 			op += t;
 			ip += t;
 		} else
 #endif
 		{
-			NEED_IP(t + 3);
-			NEED_OP(t);
+			NEED_IP(t, 3);
+			NEED_OP(t, 0);
 			while (t > 0) {
 				*op++ = *ip++;
 				t--;

next prev parent reply	other threads:[~2014-06-24 15:50 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-24 15:50 [PATCH 3.4 00/26] 3.4.95-stable review Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 01/26] iscsi-target: Reject mutual authentication with reflected CHAP_C Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 02/26] evm: prohibit userspace writing security.evm HMAC value Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 03/26] net: tunnels - enable module autoloading Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 04/26] net: fix inet_getid() and ipv6_select_ident() bugs Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 05/26] team: fix mtu setting Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 06/26] sctp: Fix sk_ack_backlog wrap-around problem Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 07/26] mlx4_core: Stash PCI ID driver_data in mlx4_priv structure Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 08/26] net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 09/26] netlink: rate-limit leftover bytes warning and print process name Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 10/26] USB: cdc-acm: fix write and suspend race Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 11/26] USB: cdc-acm: fix write and resume race Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 12/26] USB: cdc-acm: fix broken runtime suspend Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 13/26] USB: cdc-acm: fix runtime PM for control messages Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 14/26] USB: cdc-acm: fix shutdown and suspend race Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 15/26] USB: cdc-acm: fix I/O after failed open Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 16/26] USB: cdc-acm: fix runtime PM imbalance at shutdown Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 17/26] nohz: Fix another inconsistency between CONFIG_NO_HZ=n and nohz=off Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 18/26] ALSA: hda/realtek - Add support of ALC891 codec Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 19/26] ALSA: control: Protect user controls against concurrent access Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 20/26] ALSA: control: Fix replacing user controls Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 21/26] ALSA: control: Dont access controls outside of protected regions Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 22/26] ALSA: control: Handle numid overflow Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 23/26] ALSA: control: Make sure that id->index does not overflow Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 24/26] lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.4 25/26] lib/lzo: Update LZO compression to current upstream version Greg Kroah-Hartman
2014-06-24 15:50 ` Greg Kroah-Hartman [this message]
2014-06-24 19:50 ` [PATCH 3.4 00/26] 3.4.95-stable review Shuah Khan
2014-06-24 23:25 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140624154620.731380954@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=donb@securitymouse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).