From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Willem Pinckaers <willem@lekkertech.net>,
"Don A. Bailey" <donb@securitymouse.com>,
Willy Tarreau <w@1wt.eu>
Subject: [PATCH 3.14 037/100] Revert "lzo: properly check for overruns"
Date: Tue, 28 Oct 2014 11:35:22 +0800 [thread overview]
Message-ID: <20141028033502.288224875@linuxfoundation.org> (raw)
In-Reply-To: <20141028033500.670583608@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willy Tarreau <w@1wt.eu>
commit af958a38a60c7ca3d8a39c918c1baa2ff7b6b233 upstream.
This reverts commit 206a81c ("lzo: properly check for overruns").
As analysed by Willem Pinckaers, this fix is still incomplete on
certain rare corner cases, and it is easier to restart from the
original code.
Reported-by: Willem Pinckaers <willem@lekkertech.net>
Cc: "Don A. Bailey" <donb@securitymouse.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/lzo/lzo1x_decompress_safe.c | 62 +++++++++++++---------------------------
1 file changed, 21 insertions(+), 41 deletions(-)
--- a/lib/lzo/lzo1x_decompress_safe.c
+++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,31 +19,11 @@
#include <linux/lzo.h>
#include "lzodefs.h"
-#define HAVE_IP(t, x) \
- (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \
- (((t + x) >= t) && ((t + x) >= x)))
-
-#define HAVE_OP(t, x) \
- (((size_t)(op_end - op) >= (size_t)(t + x)) && \
- (((t + x) >= t) && ((t + x) >= x)))
-
-#define NEED_IP(t, x) \
- do { \
- if (!HAVE_IP(t, x)) \
- goto input_overrun; \
- } while (0)
-
-#define NEED_OP(t, x) \
- do { \
- if (!HAVE_OP(t, x)) \
- goto output_overrun; \
- } while (0)
-
-#define TEST_LB(m_pos) \
- do { \
- if ((m_pos) < out) \
- goto lookbehind_overrun; \
- } while (0)
+#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x))
+#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x))
+#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun
+#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun
+#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun
int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
unsigned char *out, size_t *out_len)
@@ -78,14 +58,14 @@ int lzo1x_decompress_safe(const unsigned
while (unlikely(*ip == 0)) {
t += 255;
ip++;
- NEED_IP(1, 0);
+ NEED_IP(1);
}
t += 15 + *ip++;
}
t += 3;
copy_literal_run:
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
- if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
+ if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
const unsigned char *ie = ip + t;
unsigned char *oe = op + t;
do {
@@ -101,8 +81,8 @@ copy_literal_run:
} else
#endif
{
- NEED_OP(t, 0);
- NEED_IP(t, 3);
+ NEED_OP(t);
+ NEED_IP(t + 3);
do {
*op++ = *ip++;
} while (--t > 0);
@@ -115,7 +95,7 @@ copy_literal_run:
m_pos -= t >> 2;
m_pos -= *ip++ << 2;
TEST_LB(m_pos);
- NEED_OP(2, 0);
+ NEED_OP(2);
op[0] = m_pos[0];
op[1] = m_pos[1];
op += 2;
@@ -139,10 +119,10 @@ copy_literal_run:
while (unlikely(*ip == 0)) {
t += 255;
ip++;
- NEED_IP(1, 0);
+ NEED_IP(1);
}
t += 31 + *ip++;
- NEED_IP(2, 0);
+ NEED_IP(2);
}
m_pos = op - 1;
next = get_unaligned_le16(ip);
@@ -157,10 +137,10 @@ copy_literal_run:
while (unlikely(*ip == 0)) {
t += 255;
ip++;
- NEED_IP(1, 0);
+ NEED_IP(1);
}
t += 7 + *ip++;
- NEED_IP(2, 0);
+ NEED_IP(2);
}
next = get_unaligned_le16(ip);
ip += 2;
@@ -174,7 +154,7 @@ copy_literal_run:
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
if (op - m_pos >= 8) {
unsigned char *oe = op + t;
- if (likely(HAVE_OP(t, 15))) {
+ if (likely(HAVE_OP(t + 15))) {
do {
COPY8(op, m_pos);
op += 8;
@@ -184,7 +164,7 @@ copy_literal_run:
m_pos += 8;
} while (op < oe);
op = oe;
- if (HAVE_IP(6, 0)) {
+ if (HAVE_IP(6)) {
state = next;
COPY4(op, ip);
op += next;
@@ -192,7 +172,7 @@ copy_literal_run:
continue;
}
} else {
- NEED_OP(t, 0);
+ NEED_OP(t);
do {
*op++ = *m_pos++;
} while (op < oe);
@@ -201,7 +181,7 @@ copy_literal_run:
#endif
{
unsigned char *oe = op + t;
- NEED_OP(t, 0);
+ NEED_OP(t);
op[0] = m_pos[0];
op[1] = m_pos[1];
op += 2;
@@ -214,15 +194,15 @@ match_next:
state = next;
t = next;
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
- if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
+ if (likely(HAVE_IP(6) && HAVE_OP(4))) {
COPY4(op, ip);
op += t;
ip += t;
} else
#endif
{
- NEED_IP(t, 3);
- NEED_OP(t, 0);
+ NEED_IP(t + 3);
+ NEED_OP(t);
while (t > 0) {
*op++ = *ip++;
t--;
next prev parent reply other threads:[~2014-10-28 3:35 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-28 3:34 [PATCH 3.14 000/100] 3.14.23-stable review Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 001/100] btrfs: wake up transaction thread from SYNC_FS ioctl Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 002/100] Btrfs: add missing compression property remove in btrfs_ioctl_setflags Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 004/100] Btrfs: try not to ENOSPC on log replay Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 005/100] Btrfs: cleanup error handling in build_backref_tree Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 006/100] Btrfs: fix build_backref_tree issue with multiple shared blocks Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 007/100] Btrfs: fix race in WAIT_SYNC ioctl Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 008/100] fs: Add a missing permission check to do_umount Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 009/100] usb: pch_udc: usb gadget device support for Intel Quark X1000 Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 010/100] pci_ids: Add support for Intel Quark ILB Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 011/100] Btrfs: send, fix data corruption due to incorrect hole detection Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 012/100] kvm: x86: fix stale mmio cache bug Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 013/100] kvm: fix potentially corrupt mmio cache Greg Kroah-Hartman
2014-10-28 3:34 ` [PATCH 3.14 014/100] KVM: s390: unintended fallthrough for external call Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 015/100] kvm: dont take vcpu mutex for obviously invalid vcpu ioctls Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 016/100] x86/intel/quark: Switch off CR4.PGE so TLB flush uses CR3 instead Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 017/100] spi: dw-mid: respect 8 bit mode Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 018/100] spi: dw-mid: check that DMA was inited before exit Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 019/100] regmap: debugfs: fix possbile NULL pointer dereference Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 020/100] regmap: fix NULL pointer dereference in _regmap_write/read Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 021/100] regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 022/100] be2iscsi: check ip buffer before copying Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 023/100] mptfusion: enable no_write_same for vmware scsi disks Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 024/100] qla2xxx: Use correct offset to req-q-out for reserve calculation Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 025/100] qla2xxx: Fix shost use-after-free on device removal Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 026/100] dmaengine: fix xor sources continuation Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 027/100] firmware_class: make sure fw requests contain a name Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 028/100] Drivers: hv: vmbus: Cleanup vmbus_post_msg() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 029/100] Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 030/100] Drivers: hv: vmbus: Cleanup vmbus_close_internal() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 031/100] Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 032/100] Drivers: hv: vmbus: Fix a bug in vmbus_open() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 033/100] mei: bus: fix possible boundaries violation Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 034/100] m68k: Disable/restore interrupts in hwreg_present()/hwreg_write() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 035/100] Fixing lease renewal Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 036/100] Documentation: lzo: document part of the encoding Greg Kroah-Hartman
2014-10-28 3:35 ` Greg Kroah-Hartman [this message]
2014-10-28 3:35 ` [PATCH 3.14 038/100] lzo: check for length overrun in variable length encoding Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 039/100] tty: omap-serial: fix division by zero Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 040/100] NFSv4: Fix lock recovery when CREATE_SESSION/SETCLIENTID_CONFIRM fails Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 041/100] NFSv4: fix open/lock state recovery error handling Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 042/100] NFSv4.1: Fix an NFSv4.1 state renewal regression Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 043/100] iwlwifi: Add missing PCI IDs for the 7260 series Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 044/100] PCI: mvebu: Fix uninitialized variable in mvebu_get_tgt_attr() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 045/100] PCI: Increase IBM ipr SAS Crocodile BARs to at least system page size Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 046/100] PCI: Generate uppercase hex for modalias interface class Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 047/100] rt2800: correct BBP1_TX_POWER_CTRL mask Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 048/100] Bluetooth: Fix HCI H5 corrupted ack value Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 049/100] Bluetooth: Fix incorrect LE CoC PDU length restriction based on HCI MTU Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 050/100] Bluetooth: Fix issue with USB suspend in btusb driver Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 051/100] mm: clear __GFP_FS when PF_MEMALLOC_NOIO is set Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 053/100] kernel: add support for gcc 5 Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 054/100] futex: Ensure get_futex_key_refs() always implies a barrier Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 055/100] powerpc/iommu/ddw: Fix endianness Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 056/100] ima: provide flag to identify new empty files Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 057/100] spi: dw-mid: terminate ongoing transfers at exit Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 058/100] arm64: compat: fix compat types affecting struct compat_elf_prpsinfo Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 059/100] ALSA: pcm: use the same dma mmap codepath both for arm and arm64 Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 060/100] ALSA: emu10k1: Fix deadlock in synth voice lookup Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 061/100] ALSA: ALC283 codec - Avoid pop noise on headphones during suspend/resume Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 062/100] ALSA: usb-audio: Add support for Steinberg UR22 USB interface Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 063/100] ALSA: hda - hdmi: Fix missing ELD change event on plug/unplug Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 064/100] ARM: at91/dt: Fix typo regarding can0_clk Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 065/100] ARM: at91: fix at91sam9263ek DT mmc pinmuxing settings Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 066/100] ARM: at91/PMC: dont forget to write PMC_PCDR register to disable clocks Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 067/100] ARM: mvebu: Netgear RN104: Use Hardware BCH ECC Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 068/100] ARM: mvebu: Netgear RN2120: " Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 069/100] ARM: mvebu: Netgear RN102: " Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 070/100] ecryptfs: avoid to access NULL pointer when write metadata in xattr Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 071/100] xfs: ensure WB_SYNC_ALL writeback handles partial pages correctly Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 072/100] sparc64: Do not disable interrupts in nmi_cpu_busy() Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 073/100] sparc64: Fix pcr_ops initialization and usage bugs Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.14 074/100] sparc32: dma_alloc_coherent must honour gfp flags Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 075/100] sparc64: sun4v TLB error power off events Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 076/100] sparc64: Fix corrupted thread fault code Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 077/100] sparc64: find_node adjustment Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 078/100] sparc64: Move request_irq() from ldc_bind() to ldc_alloc() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 079/100] sparc: Let memset return the address argument Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 080/100] sparc64: Fix reversed start/end in flush_tlb_kernel_range() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 081/100] sparc64: Fix lockdep warnings on reboot on Ultra-5 Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 082/100] sparc64: Fix FPU register corruption with AES crypto offload Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 083/100] sparc64: Do not define thread fpregs save area as zero-length array Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 084/100] sparc64: Fix hibernation code refrence to PAGE_OFFSET Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 085/100] sparc64: correctly recognise M6 and M7 cpu type Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 086/100] sparc64: support M6 and M7 for building CPU distribution map Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 087/100] sparc64: cpu hardware caps support for sparc M6 and M7 Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 088/100] sparc64: T5 PMU Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 089/100] sparc64: Switch to 4-level page tables Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 090/100] sparc64: Define VA hole at run time, rather than at compile time Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 091/100] sparc64: Adjust KTSB assembler to support larger physical addresses Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 092/100] sparc64: Fix physical memory management regressions with large max_phys_bits Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 093/100] sparc64: Use kernel page tables for vmemmap Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 094/100] sparc64: Increase MAX_PHYS_ADDRESS_BITS to 53 Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 095/100] sparc64: Adjust vmalloc region size based upon available virtual address bits Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 096/100] sparc64: sparse irq Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 097/100] sparc64: Kill unnecessary tables and increase MAX_BANKS Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 098/100] sparc64: Increase size of boot string to 1024 bytes Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 099/100] sparc64: Fix register corruption in top-most kernel stack frame during boot Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.14 100/100] sparc64: Implement __get_user_pages_fast() Greg Kroah-Hartman
2014-10-28 15:13 ` [PATCH 3.14 000/100] 3.14.23-stable review Guenter Roeck
2014-10-28 16:15 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141028033502.288224875@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=donb@securitymouse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
--cc=willem@lekkertech.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).