[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 1/3] lz4: refine commit 9143a6c55ef7 for the 64-bit case

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Thu, 5 Dec 2019 08:30:24 +0100
Cc: Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jeremi Piotrowski <jeremi.piotrowski@xxxxxxxxx>, Mark Pryor <pryorm09@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>
Delivery-date: Thu, 05 Dec 2019 07:30:14 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

I clearly went too far there: While the LZ4_WILDCOPY() instances indeed
need prior guarding, LZ4_SECURECOPY() needs this only in the 32-bit case
(where it simply aliases LZ4_WILDCOPY()). "cpy" can validly point
(slightly) below "op" in these cases, due to

                cpy = op + length - (STEPSIZE - 4);

where length can be as low as 0 and STEPSIZE is 8. However, instead of
removing the check via "#if !LZ4_ARCH64", refine it such that it would
also properly work in the 64-bit case, aborting decompression instead
of continuing on bogus input.

Reported-by: Mark Pryor <pryorm09@xxxxxxxxx>
Reported-by: Jeremi Piotrowski <jeremi.piotrowski@xxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Tested-by: Mark Pryor <pryorm09@xxxxxxxxx>

--- a/xen/common/lz4/decompress.c
+++ b/xen/common/lz4/decompress.c
@@ -147,7 +147,7 @@ static int INIT lz4_uncompress(const uns
                                goto _output_error;
                        continue;
                }
-               if (unlikely((unsigned long)cpy < (unsigned long)op))
+               if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE 
- 4)))
                        goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */
@@ -279,7 +279,7 @@ static int lz4_uncompress_unknownoutputs
                                goto _output_error;
                        continue;
                }
-               if (unlikely((unsigned long)cpy < (unsigned long)op))
+               if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE 
- 4)))
                        goto _output_error;
                LZ4_SECURECOPY(ref, op, cpy);
                op = cpy; /* correction */


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH 0/3] lz4: misc fixes / adjustments
  - From: Jan Beulich

Prev by Date: [Xen-devel] [PATCH 0/3] lz4: misc fixes / adjustments
Next by Date: [Xen-devel] [PATCH 2/3] lz4: pull out constant tables
Previous by thread: [Xen-devel] [PATCH 0/3] lz4: misc fixes / adjustments
Next by thread: [Xen-devel] [PATCH 2/3] lz4: pull out constant tables
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.