From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Willem Pinckaers <willem@lekkertech.net>,
"Don A. Bailey" <donb@securitymouse.com>,
Willy Tarreau <w@1wt.eu>
Subject: [PATCH 3.10 24/43] lzo: check for length overrun in variable length encoding.
Date: Tue, 28 Oct 2014 11:36:22 +0800 [thread overview]
Message-ID: <20141028033524.436461734@linuxfoundation.org> (raw)
In-Reply-To: <20141028033523.407092670@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willy Tarreau <w@1wt.eu>
commit 72cf90124e87d975d0b2114d930808c58b4c05e4 upstream.
This fix ensures that we never meet an integer overflow while adding
255 while parsing a variable length encoding. It works differently from
commit 206a81c ("lzo: properly check for overruns") because instead of
ensuring that we don't overrun the input, which is tricky to guarantee
due to many assumptions in the code, it simply checks that the cumulated
number of 255 read cannot overflow by bounding this number.
The MAX_255_COUNT is the maximum number of times we can add 255 to a base
count without overflowing an integer. The multiply will overflow when
multiplying 255 by more than MAXINT/255. The sum will overflow earlier
depending on the base count. Since the base count is taken from a u8
and a few bits, it is safe to assume that it will always be lower than
or equal to 2*255, thus we can always prevent any overflow by accepting
two less 255 steps.
This patch also reduces the CPU overhead and actually increases performance
by 1.1% compared to the initial code, while the previous fix costs 3.1%
(measured on x86_64).
The fix needs to be backported to all currently supported stable kernels.
Reported-by: Willem Pinckaers <willem@lekkertech.net>
Cc: "Don A. Bailey" <donb@securitymouse.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/lzo/lzo1x_decompress_safe.c | 43 ++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
--- a/lib/lzo/lzo1x_decompress_safe.c
+++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -25,6 +25,16 @@
#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun
#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun
+/* This MAX_255_COUNT is the maximum number of times we can add 255 to a base
+ * count without overflowing an integer. The multiply will overflow when
+ * multiplying 255 by more than MAXINT/255. The sum will overflow earlier
+ * depending on the base count. Since the base count is taken from a u8
+ * and a few bits, it is safe to assume that it will always be lower than
+ * or equal to 2*255, thus we can always prevent any overflow by accepting
+ * two less 255 steps. See Documentation/lzo.txt for more information.
+ */
+#define MAX_255_COUNT ((((size_t)~0) / 255) - 2)
+
int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
unsigned char *out, size_t *out_len)
{
@@ -55,12 +65,19 @@ int lzo1x_decompress_safe(const unsigned
if (t < 16) {
if (likely(state == 0)) {
if (unlikely(t == 0)) {
+ size_t offset;
+ const unsigned char *ip_last = ip;
+
while (unlikely(*ip == 0)) {
- t += 255;
ip++;
NEED_IP(1);
}
- t += 15 + *ip++;
+ offset = ip - ip_last;
+ if (unlikely(offset > MAX_255_COUNT))
+ return LZO_E_ERROR;
+
+ offset = (offset << 8) - offset;
+ t += offset + 15 + *ip++;
}
t += 3;
copy_literal_run:
@@ -116,12 +133,19 @@ copy_literal_run:
} else if (t >= 32) {
t = (t & 31) + (3 - 1);
if (unlikely(t == 2)) {
+ size_t offset;
+ const unsigned char *ip_last = ip;
+
while (unlikely(*ip == 0)) {
- t += 255;
ip++;
NEED_IP(1);
}
- t += 31 + *ip++;
+ offset = ip - ip_last;
+ if (unlikely(offset > MAX_255_COUNT))
+ return LZO_E_ERROR;
+
+ offset = (offset << 8) - offset;
+ t += offset + 31 + *ip++;
NEED_IP(2);
}
m_pos = op - 1;
@@ -134,12 +158,19 @@ copy_literal_run:
m_pos -= (t & 8) << 11;
t = (t & 7) + (3 - 1);
if (unlikely(t == 2)) {
+ size_t offset;
+ const unsigned char *ip_last = ip;
+
while (unlikely(*ip == 0)) {
- t += 255;
ip++;
NEED_IP(1);
}
- t += 7 + *ip++;
+ offset = ip - ip_last;
+ if (unlikely(offset > MAX_255_COUNT))
+ return LZO_E_ERROR;
+
+ offset = (offset << 8) - offset;
+ t += offset + 7 + *ip++;
NEED_IP(2);
}
next = get_unaligned_le16(ip);
next prev parent reply other threads:[~2014-10-28 3:36 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-28 3:35 [PATCH 3.10 00/43] 3.10.59-stable review Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.10 01/43] Btrfs: try not to ENOSPC on log replay Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 02/43] Btrfs: fix build_backref_tree issue with multiple shared blocks Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 03/43] Btrfs: fix race in WAIT_SYNC ioctl Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 04/43] fs: Add a missing permission check to do_umount Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 05/43] kvm: x86: fix stale mmio cache bug Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 06/43] KVM: s390: unintended fallthrough for external call Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 07/43] kvm: dont take vcpu mutex for obviously invalid vcpu ioctls Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 08/43] x86/intel/quark: Switch off CR4.PGE so TLB flush uses CR3 instead Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 09/43] spi: dw-mid: respect 8 bit mode Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 10/43] spi: dw-mid: check that DMA was inited before exit Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 11/43] regmap: debugfs: fix possbile NULL pointer dereference Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 12/43] regmap: fix NULL pointer dereference in _regmap_write/read Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 13/43] be2iscsi: check ip buffer before copying Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 14/43] mptfusion: enable no_write_same for vmware scsi disks Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 15/43] qla2xxx: Use correct offset to req-q-out for reserve calculation Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 16/43] firmware_class: make sure fw requests contain a name Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 17/43] Drivers: hv: vmbus: Cleanup vmbus_post_msg() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 18/43] Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 19/43] Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 20/43] Drivers: hv: vmbus: Fix a bug in vmbus_open() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 21/43] m68k: Disable/restore interrupts in hwreg_present()/hwreg_write() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 22/43] Documentation: lzo: document part of the encoding Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 23/43] Revert "lzo: properly check for overruns" Greg Kroah-Hartman
2014-10-28 3:36 ` Greg Kroah-Hartman [this message]
2014-10-28 3:36 ` [PATCH 3.10 25/43] NFSv4: Fix lock recovery when CREATE_SESSION/SETCLIENTID_CONFIRM fails Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 26/43] NFSv4: fix open/lock state recovery error handling Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 27/43] NFSv4.1: Fix an NFSv4.1 state renewal regression Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 28/43] iwlwifi: Add missing PCI IDs for the 7260 series Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 29/43] PCI: Increase IBM ipr SAS Crocodile BARs to at least system page size Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 30/43] PCI: Generate uppercase hex for modalias interface class Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 31/43] rt2800: correct BBP1_TX_POWER_CTRL mask Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 32/43] Bluetooth: Fix HCI H5 corrupted ack value Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 33/43] Bluetooth: Fix issue with USB suspend in btusb driver Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 34/43] mm: clear __GFP_FS when PF_MEMALLOC_NOIO is set Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 36/43] kernel: add support for gcc 5 Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 37/43] spi: dw-mid: terminate ongoing transfers at exit Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 38/43] arm64: compat: fix compat types affecting struct compat_elf_prpsinfo Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 39/43] ALSA: pcm: use the same dma mmap codepath both for arm and arm64 Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 40/43] ALSA: emu10k1: Fix deadlock in synth voice lookup Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 41/43] ALSA: usb-audio: Add support for Steinberg UR22 USB interface Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 42/43] ARM: at91/PMC: dont forget to write PMC_PCDR register to disable clocks Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 43/43] ecryptfs: avoid to access NULL pointer when write metadata in xattr Greg Kroah-Hartman
2014-10-28 4:43 ` [PATCH 3.10 00/43] 3.10.59-stable review Guenter Roeck
2014-10-28 6:02 ` Greg Kroah-Hartman
2014-10-28 16:16 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141028033524.436461734@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=donb@securitymouse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
--cc=willem@lekkertech.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).