[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.4] lz4: check for underruns

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Sun, 24 Aug 2014 14:55:03 +0000
Delivery-date: Sun, 24 Aug 2014 14:55:32 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit 4328fdf3873f0a6f77c1ecb61873b103ceb6d8cb
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Aug 22 14:06:20 2014 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Aug 22 14:06:20 2014 +0200

    lz4: check for underruns
    
    While overruns are already being taken care of, underruns (resulting
    from overflows in the respective "op + length" (or similar) operations
    weren't.
    
    This is CVE-2014-4611.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    master commit: 9143a6c55ef7e8f630857cb08c03844d372c2345
    master date: 2014-08-04 13:43:03 +0200
---
 xen/common/lz4/decompress.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/xen/common/lz4/decompress.c b/xen/common/lz4/decompress.c
index 40b3381..5cf8f37 100644
--- a/xen/common/lz4/decompress.c
+++ b/xen/common/lz4/decompress.c
@@ -84,6 +84,8 @@ static int INIT lz4_uncompress(const unsigned char *source, 
unsigned char *dest,
                        ip += length;
                        break; /* EOF */
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_WILDCOPY(ip, op, cpy);
                ip -= (op - cpy);
                op = cpy;
@@ -142,6 +144,8 @@ static int INIT lz4_uncompress(const unsigned char *source, 
unsigned char *dest,
                                goto _output_error;
                        continue;
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */
        }
@@ -207,6 +211,8 @@ static int lz4_uncompress_unknownoutputsize(const unsigned 
char *source,
                        op += length;
                        break;/* Necessarily EOF, due to parsing restrictions */
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_WILDCOPY(ip, op, cpy);
                ip -= (op - cpy);
                op = cpy;
@@ -270,6 +276,8 @@ static int lz4_uncompress_unknownoutputsize(const unsigned 
char *source,
                                goto _output_error;
                        continue;
                }
+               if (unlikely((unsigned long)cpy < (unsigned long)op))
+                       goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */
        }
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen stable-4.4] Revert "x86/paging: make log-dirty operations preemptible"
Next by Date: [Xen-changelog] [xen stable-4.4] x86_emulate: properly do IP updates and other side effects on success
Previous by thread: [Xen-changelog] [xen stable-4.4] Revert "x86/paging: make log-dirty operations preemptible"
Next by thread: [Xen-changelog] [xen stable-4.4] x86_emulate: properly do IP updates and other side effects on success
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.