From: Ian Campbell <Ian.Campbell@eu.citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: xen-devel <xen-devel@lists.xenproject.org>,
Keir Fraser <keir@xen.org>, Jan Beulich <JBeulich@suse.com>,
Tim Deegan <tim@xen.org>
Subject: Re: [PATCH 2/2] lzo: check for length overrun in variable length encoding
Date: Tue, 4 Nov 2014 11:35:13 +0000 [thread overview]
Message-ID: <1415100913.11486.31.camel@eu.citrix.com> (raw)
In-Reply-To: <21592.46976.780608.557136@mariner.uk.xensource.com>
On Tue, 2014-11-04 at 11:24 +0000, Ian Jackson wrote:
> Jan Beulich writes ("[PATCH 2/2] lzo: check for length overrun in variable length encoding"):
> > This fix ensures that we never meet an integer overflow while adding
> > 255 while parsing a variable length encoding. It works differently from
> > commit 504f70b6 ("lzo: properly check for overruns") because instead of
> > ensuring that we don't overrun the input, which is tricky to guarantee
> > due to many assumptions in the code, it simply checks that the cumulated
> > number of 255 read cannot overflow by bounding this number.
>
> AFAICT this decompressor is exposed to untrusted guest kernel images.
Only in mini-os context, I think. AIUI dom0 hosted libxc uses liblzo2.
Not 100% sure of that, but tools/libxc/Makefile's handling of
xc_dom_decompress_unsafe_lzo1x seems to confirm what I thought.
Aside from that, I presume you are trying to say that the description of
the fix suggests the code would be vulnerable to untrusted input? It
looks to me as if it is infact OK for untrusted input, but perhaps I've
misunderstood what it is doing.
Ian.
next prev parent reply other threads:[~2014-11-04 11:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-03 14:47 [PATCH 0/2] lzo: refine overrun checking Jan Beulich
2014-11-03 15:01 ` [PATCH 1/2] Revert "lzo: properly check for overruns" Jan Beulich
2014-11-03 15:02 ` [PATCH 2/2] lzo: check for length overrun in variable length encoding Jan Beulich
2014-11-04 11:24 ` Ian Jackson
2014-11-04 11:35 ` Ian Campbell [this message]
2014-11-04 9:37 ` [PATCH 0/2] lzo: refine overrun checking Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1415100913.11486.31.camel@eu.citrix.com \
--to=ian.campbell@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).