[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.10] lz4: refine commit 9143a6c55ef7 for the 64-bit case

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Sun, 21 Jun 2020 17:12:43 +0000
Delivery-date: Sun, 21 Jun 2020 17:12:45 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit bd20589e6d687bd768b4016ccda0727b409b08e6
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Wed Dec 11 15:34:51 2019 +0100
Commit:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
CommitDate: Mon Jun 15 14:41:49 2020 +0100

    lz4: refine commit 9143a6c55ef7 for the 64-bit case
    
    I clearly went too far there: While the LZ4_WILDCOPY() instances indeed
    need prior guarding, LZ4_SECURECOPY() needs this only in the 32-bit case
    (where it simply aliases LZ4_WILDCOPY()). "cpy" can validly point
    (slightly) below "op" in these cases, due to
    
                    cpy = op + length - (STEPSIZE - 4);
    
    where length can be as low as 0 and STEPSIZE is 8. However, instead of
    removing the check via "#if !LZ4_ARCH64", refine it such that it would
    also properly work in the 64-bit case, aborting decompression instead
    of continuing on bogus input.
    
    Reported-by: Mark Pryor <pryorm09@xxxxxxxxx>
    Reported-by: Jeremi Piotrowski <jeremi.piotrowski@xxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Tested-by: Mark Pryor <pryorm09@xxxxxxxxx>
    Tested-by: Jeremi Piotrowski <jeremi.piotrowski@xxxxxxxxx>
    Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 2d7572cdfa4d481c1ca246aa1ce5239ccae7eb59
    master date: 2019-12-09 14:01:25 +0100
    
    (cherry picked from commit 6561994b87af3e9cd28ee99c42e8b2697621687d)
---
 xen/common/lz4/decompress.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/common/lz4/decompress.c b/xen/common/lz4/decompress.c
index 94ad591331..e8636e193a 100644
--- a/xen/common/lz4/decompress.c
+++ b/xen/common/lz4/decompress.c
@@ -147,7 +147,7 @@ static int INIT lz4_uncompress(const unsigned char *source, 
unsigned char *dest,
                                goto _output_error;
                        continue;
                }
-               if (unlikely((unsigned long)cpy < (unsigned long)op))
+               if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE 
- 4)))
                        goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */
@@ -279,7 +279,7 @@ static int lz4_uncompress_unknownoutputsize(const unsigned 
char *source,
                                goto _output_error;
                        continue;
                }
-               if (unlikely((unsigned long)cpy < (unsigned long)op))
+               if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE 
- 4)))
                        goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.10

Prev by Date: [xen stable-4.10] x86/spec-ctrl: Allow the RDRAND/RDSEED features to be hidden
Next by Date: [xen stable-4.10] lz4: fix system halt at boot kernel on x86_64
Previous by thread: [xen stable-4.10] x86/spec-ctrl: Allow the RDRAND/RDSEED features to be hidden
Next by thread: [xen stable-4.10] lz4: fix system halt at boot kernel on x86_64
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.