[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] lz4: check for underruns



commit 9143a6c55ef7e8f630857cb08c03844d372c2345
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Mon Aug 4 13:43:03 2014 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Aug 4 13:43:03 2014 +0200

    lz4: check for underruns
    
    While overruns are already being taken care of, underruns (resulting
    from overflows in the respective "op + length" (or similar) operations
    weren't.
    
    This is CVE-2014-4611.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---
 xen/common/lz4/decompress.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/xen/common/lz4/decompress.c b/xen/common/lz4/decompress.c
index 40b3381..5cf8f37 100644
--- a/xen/common/lz4/decompress.c
+++ b/xen/common/lz4/decompress.c
@@ -84,6 +84,8 @@ static int INIT lz4_uncompress(const unsigned char *source, 
unsigned char *dest,
                        ip += length;
                        break; /* EOF */
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_WILDCOPY(ip, op, cpy);
                ip -= (op - cpy);
                op = cpy;
@@ -142,6 +144,8 @@ static int INIT lz4_uncompress(const unsigned char *source, 
unsigned char *dest,
                                goto _output_error;
                        continue;
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */
        }
@@ -207,6 +211,8 @@ static int lz4_uncompress_unknownoutputsize(const unsigned 
char *source,
                        op += length;
                        break;/* Necessarily EOF, due to parsing restrictions */
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_WILDCOPY(ip, op, cpy);
                ip -= (op - cpy);
                op = cpy;
@@ -270,6 +276,8 @@ static int lz4_uncompress_unknownoutputsize(const unsigned 
char *source,
                                goto _output_error;
                        continue;
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */
        }
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.