lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4cefeab80705220219qeb00e09u47e992e884152b5b@mail.gmail.com>
Date:	Tue, 22 May 2007 14:49:51 +0530
From:	"Nitin Gupta" <nitingupta910@...il.com>
To:	"Richard Purdie" <richard@...nedhand.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [RFC] LZO1X de/compression support

Hi,

On 5/18/07, Richard Purdie <richard@...nedhand.com> wrote:
> > This patch, as of yet, only gives 'non-safe' version of decompressor.
> > The 'safe' version  will be included soon.
>
> How are you planning to add that back?
>

Please see newer patch posted.

> The LZO author had some concerns about this code. The major issue he
> highlighted was that it was 64-bit unsafe. Have you addressed that
> problem?
I found certain parts which were 64-bit unsafe - corrected them. Now,
I couldn't see any more of such instances and posted as RFC :)

>  Has it been tested on 64bit?
No. I am still looking for some 64-bit machine to test on (also some
Big-endian machine).

>
> I'm worried that in converting this code the way you have, you've
> possibly introduced potential security holes. You've removed all bounds
> checking and are going to have to add that back to create the "safe"
> version of the decompression function. Until I mentioned it, you seemed
> unaware of the potential problem and the comments above suggest you
> don't understand this code as fully as I'd like with regard to
> overflows.

I just did the 'logical' porting work. I don't understand the
algorithm itself since I could not find any document that describes
the same.

>
> The version I submitted has at least been subject to userspace scrutiny
> over a period of time and is basically unchanged with regard to
> security. It is much uglier though.
>
> Richard

Yes. But it will be even better if we can verify/correct this
cleaned-up version - shouldn't be that hard for just ~500 LOC :-)


Thanks for your comments.

- Nitin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ