From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Don A. Bailey" <donb@securitymouse.com>,
Willy Tarreau <w@1wt.eu>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [ 45/48] lzo: check for length overrun in variable length
Date: Sun, 16 Nov 2014 22:54:13 +0100 [thread overview]
Message-ID: <20141116215330.521414973@1wt.eu> (raw)
In-Reply-To: <28c765bc23bd4bae1611534e510f49f8@local>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
encoding.
From: Willy Tarreau <w@1wt.eu>
This fix ensures that we never meet an integer overflow while adding
255 while parsing a variable length encoding. It works differently from
commit 206a81c ("lzo: properly check for overruns") because instead of
ensuring that we don't overrun the input, which is tricky to guarantee
due to many assumptions in the code, it simply checks that the cumulated
number of 255 read cannot overflow by bounding this number.
The MAX_255_COUNT is the maximum number of times we can add 255 to a base
count without overflowing an integer. The multiply will overflow when
multiplying 255 by more than MAXINT/255. The sum will overflow earlier
depending on the base count. Since the base count is taken from a u8
and a few bits, it is safe to assume that it will always be lower than
or equal to 2*255, thus we can always prevent any overflow by accepting
two less 255 steps.
This patch also reduces the CPU overhead and actually increases performance
by 1.1% compared to the initial code, while the previous fix costs 3.1%
(measured on x86_64).
The fix needs to be backported to all currently supported stable kernels.
Reported-by: Willem Pinckaers <willem@lekkertech.net>
Cc: "Don A. Bailey" <donb@securitymouse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 72cf90124e87d975d0b2114d930808c58b4c05e4)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
lib/lzo/lzo1x_decompress.c | 43 +++++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c
index 2aa2915..eabee8f 100644
--- a/lib/lzo/lzo1x_decompress.c
+++ b/lib/lzo/lzo1x_decompress.c
@@ -24,6 +24,16 @@
#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun
#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun
+/* This MAX_255_COUNT is the maximum number of times we can add 255 to a base
+ * count without overflowing an integer. The multiply will overflow when
+ * multiplying 255 by more than MAXINT/255. The sum will overflow earlier
+ * depending on the base count. Since the base count is taken from a u8
+ * and a few bits, it is safe to assume that it will always be lower than
+ * or equal to 2*255, thus we can always prevent any overflow by accepting
+ * two less 255 steps. See Documentation/lzo.txt for more information.
+ */
+#define MAX_255_COUNT ((((size_t)~0) / 255) - 2)
+
int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
unsigned char *out, size_t *out_len)
{
@@ -54,12 +64,19 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
if (t < 16) {
if (likely(state == 0)) {
if (unlikely(t == 0)) {
+ size_t offset;
+ const unsigned char *ip_last = ip;
+
while (unlikely(*ip == 0)) {
- t += 255;
ip++;
NEED_IP(1);
}
- t += 15 + *ip++;
+ offset = ip - ip_last;
+ if (unlikely(offset > MAX_255_COUNT))
+ return LZO_E_ERROR;
+
+ offset = (offset << 8) - offset;
+ t += offset + 15 + *ip++;
}
t += 3;
copy_literal_run:
@@ -115,12 +132,19 @@ copy_literal_run:
} else if (t >= 32) {
t = (t & 31) + (3 - 1);
if (unlikely(t == 2)) {
+ size_t offset;
+ const unsigned char *ip_last = ip;
+
while (unlikely(*ip == 0)) {
- t += 255;
ip++;
NEED_IP(1);
}
- t += 31 + *ip++;
+ offset = ip - ip_last;
+ if (unlikely(offset > MAX_255_COUNT))
+ return LZO_E_ERROR;
+
+ offset = (offset << 8) - offset;
+ t += offset + 31 + *ip++;
NEED_IP(2);
}
m_pos = op - 1;
@@ -133,12 +157,19 @@ copy_literal_run:
m_pos -= (t & 8) << 11;
t = (t & 7) + (3 - 1);
if (unlikely(t == 2)) {
+ size_t offset;
+ const unsigned char *ip_last = ip;
+
while (unlikely(*ip == 0)) {
- t += 255;
ip++;
NEED_IP(1);
}
- t += 7 + *ip++;
+ offset = ip - ip_last;
+ if (unlikely(offset > MAX_255_COUNT))
+ return LZO_E_ERROR;
+
+ offset = (offset << 8) - offset;
+ t += offset + 7 + *ip++;
NEED_IP(2);
}
next = get_unaligned_le16(ip);
--
1.7.12.2.21.g234cd45.dirty
next prev parent reply other threads:[~2014-11-16 21:54 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <28c765bc23bd4bae1611534e510f49f8@local>
2014-11-16 21:53 ` [ 00/48] 2.6.32.64-longterm review Willy Tarreau
2014-11-16 21:53 ` [ 01/48] x86_32, entry: Do syscall exit work on badsys Willy Tarreau
2014-11-16 21:53 ` [ 02/48] x86_32, entry: Store badsys error code in %eax Willy Tarreau
2014-11-16 21:53 ` [ 03/48] x86_32, entry: Clean up sysenter_badsys declaration Willy Tarreau
2014-11-16 21:53 ` [ 04/48] MIPS: Cleanup flags in syscall flags handlers Willy Tarreau
2014-11-16 21:53 ` [ 05/48] MIPS: asm: thread_info: Add _TIF_SECCOMP flag Willy Tarreau
2014-11-16 21:53 ` [ 06/48] fix autofs/afs/etc. magic mountpoint breakage Willy Tarreau
2014-11-16 21:53 ` [ 07/48] ALSA: control: Make sure that id->index does not Willy Tarreau
2014-11-16 21:53 ` [ 08/48] ALSA: control: Handle numid overflow Willy Tarreau
2014-11-16 21:53 ` [ 09/48] sctp: Fix sk_ack_backlog wrap-around problem Willy Tarreau
2014-11-16 21:53 ` [ 10/48] mm: try_to_unmap_cluster() should lock_page() before Willy Tarreau
2014-11-16 21:53 ` [ 11/48] filter: prevent nla extensions to peek beyond the end Willy Tarreau
2014-11-16 21:53 ` [ 12/48] ALSA: control: Protect user controls against Willy Tarreau
2014-11-16 21:53 ` [ 13/48] ptrace,x86: force IRET path after a ptrace_stop() Willy Tarreau
2014-11-16 21:53 ` [ 14/48] sym53c8xx_2: Set DID_REQUEUE return code when aborting Willy Tarreau
2014-11-16 21:53 ` [ 15/48] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at Willy Tarreau
2014-11-16 21:53 ` [ 16/48] igmp: fix the problem when mc leave group Willy Tarreau
2014-11-16 21:53 ` [ 17/48] appletalk: Fix socket referencing in skb Willy Tarreau
2014-11-16 21:53 ` [ 18/48] net: sctp: fix information leaks in ulpevent layer Willy Tarreau
2014-11-16 21:53 ` [ 19/48] sunvnet: clean up objects created in vnet_new() on Willy Tarreau
2014-11-16 21:53 ` [ 20/48] ipv4: fix buffer overflow in ip_options_compile() Willy Tarreau
2014-11-16 21:53 ` [ 21/48] net: sctp: inherit auth_capable on INIT collisions Willy Tarreau
2014-11-16 21:53 ` [ 22/48] net: sendmsg: fix NULL pointer dereference Willy Tarreau
2014-12-01 11:45 ` Luis Henriques
2014-12-01 12:30 ` Willy Tarreau
2014-11-16 21:53 ` [ 23/48] tcp: Fix integer-overflows in TCP veno Willy Tarreau
2014-11-16 21:53 ` [ 24/48] tcp: Fix integer-overflow in TCP vegas Willy Tarreau
2014-11-16 21:53 ` [ 25/48] macvlan: Initialize vlan_features to turn on offload Willy Tarreau
2014-11-16 21:53 ` [ 26/48] net: Correctly set segment mac_len in skb_segment() Willy Tarreau
2014-11-16 21:53 ` [ 27/48] iovec: make sure the caller actually wants anything in Willy Tarreau
2014-11-16 21:53 ` [ 28/48] sctp: fix possible seqlock seadlock in Willy Tarreau
2014-11-16 21:53 ` [ 29/48] Revert "nfsd: correctly handle return value from Willy Tarreau
2014-11-16 21:53 ` [ 30/48] dm crypt: fix access beyond the end of allocated space Willy Tarreau
2014-11-16 21:53 ` [ 31/48] gianfar: disable vlan tag insertion by default Willy Tarreau
2014-11-16 21:54 ` [ 32/48] USB: kobil_sct: fix non-atomic allocation in write Willy Tarreau
2014-11-16 21:54 ` [ 33/48] fix misuses of f_count() in ppp and netlink Willy Tarreau
2014-11-16 21:54 ` [ 34/48] net: sctp: fix skb_over_panic when receiving malformed Willy Tarreau
2014-11-16 21:54 ` [ 35/48] tty: Fix high cpu load if tty is unreleaseable Willy Tarreau
2014-11-16 21:54 ` [ 36/48] netfilter: nf_log: account for size of NLMSG_DONE Willy Tarreau
2014-11-16 21:54 ` [ 37/48] netfilter: nfnetlink_log: fix maximum packet length Willy Tarreau
2014-11-16 21:54 ` [ 38/48] ring-buffer: Always reset iterator to reader page Willy Tarreau
2014-11-16 21:54 ` [ 39/48] md/raid6: avoid data corruption during recovery of Willy Tarreau
2014-11-16 21:54 ` [ 40/48] net: pppoe: use correct channel MTU when using Willy Tarreau
2014-11-16 21:54 ` [ 41/48] ARM: 7668/1: fix memset-related crashes caused by Willy Tarreau
2014-11-16 21:54 ` [ 42/48] ARM: 7670/1: fix the memset fix Willy Tarreau
2014-11-16 21:54 ` [ 43/48] lib/lzo: Update LZO compression to current upstream Willy Tarreau
2014-11-16 21:54 ` [ 44/48] Documentation: lzo: document part of the encoding Willy Tarreau
2014-11-16 21:54 ` Willy Tarreau [this message]
2014-11-16 21:54 ` [ 46/48] USB: add new zte 3g-dongles pid to option.c Willy Tarreau
2014-11-16 21:54 ` [ 47/48] futex: Unlock hb->lock in futex_wait_requeue_pi() Willy Tarreau
2014-11-16 21:54 ` [ 48/48] isofs: Fix unbounded recursion when processing Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141116215330.521414973@1wt.eu \
--to=w@1wt.eu \
--cc=donb@securitymouse.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).