|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] LZ4 : fix the data abort issue
On Wed, 2015-03-25 at 16:14 +0000, Jan Beulich wrote: > If the part of the compression data are corrupted, or the compression > data is totally fake, the memory access over the limit is possible. > > This is the log from my system usning lz4 decompression. > [6502]data abort, halting > [6503]r0 0x00000000 r1 0x00000000 r2 0xdcea0ffc r3 0xdcea0ffc > [6509]r4 0xb9ab0bfd r5 0xdcea0ffc r6 0xdcea0ff8 r7 0xdce80000 > [6515]r8 0x00000000 r9 0x00000000 r10 0x00000000 r11 0xb9a98000 > [6522]r12 0xdcea1000 usp 0x00000000 ulr 0x00000000 pc 0x820149bc > [6528]spsr 0x400001f3 > and the memory addresses of some variables at the moment are > ref:0xdcea0ffc, op:0xdcea0ffc, oend:0xdcea1000 > > As you can see, COPYLENGH is 8bytes, so @ref and @op can access the momory > over @oend. > > Signed-off-by: JeHyeon Yeon <tom.yeon@xxxxxxxxxxxxx> > Reviewed-by: David Sterba <dsterba@xxxxxxx> > [Linux commit d5e7cafd69da24e6d6cc988fab6ea313a2577efc] > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx> > > --- a/xen/common/lz4/decompress.c > +++ b/xen/common/lz4/decompress.c > @@ -132,6 +132,9 @@ static int INIT lz4_uncompress(const uns > /* Error: request to write beyond destination buffer */ > if (cpy > oend) > goto _output_error; > + if ((ref + COPYLENGTH) > oend || > + (op + COPYLENGTH) > oend) > + goto _output_error; > LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); > while (op < cpy) > *op++ = *ref++; > > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |