|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] lz4: check for underruns
While overruns are already being taken care of, underruns (resulting
from overflows in the respective "op + length" (or similar) operations
weren't.
This is CVE-2014-4611.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
Note that while a similar patch was proposed for Linux as replacement
for the three ones not really fixing the issue, there was no response
to them within over three weeks. Rather than continuing to wait in
order to not have our code needlessly diverge from the Linux original,
aim at fixing the issue in our tree now with the option of replacing
this fix with a Linux upstream blessed one later on.
--- a/xen/common/lz4/decompress.c
+++ b/xen/common/lz4/decompress.c
@@ -84,6 +84,8 @@ static int INIT lz4_uncompress(const uns
ip += length;
break; /* EOF */
}
+ if (unlikely((unsigned long)cpy < (unsigned long)op))
+ goto _output_error;
LZ4_WILDCOPY(ip, op, cpy);
ip -= (op - cpy);
op = cpy;
@@ -142,6 +144,8 @@ static int INIT lz4_uncompress(const uns
goto _output_error;
continue;
}
+ if (unlikely((unsigned long)cpy < (unsigned long)op))
+ goto _output_error;
LZ4_SECURECOPY(ref, op, cpy);
op = cpy; /* correction */
}
@@ -207,6 +211,8 @@ static int lz4_uncompress_unknownoutputs
op += length;
break;/* Necessarily EOF, due to parsing restrictions */
}
+ if (unlikely((unsigned long)cpy < (unsigned long)op))
+ goto _output_error;
LZ4_WILDCOPY(ip, op, cpy);
ip -= (op - cpy);
op = cpy;
@@ -270,6 +276,8 @@ static int lz4_uncompress_unknownoutputs
goto _output_error;
continue;
}
+ if (unlikely((unsigned long)cpy < (unsigned long)op))
+ goto _output_error;
LZ4_SECURECOPY(ref, op, cpy);
op = cpy; /* correction */
}
Attachment:
lz4-check-underruns.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |