lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201101241519.07547.lasse.collin@tukaani.org>
Date:	Mon, 24 Jan 2011 15:19:07 +0200
From:	Lasse Collin <lasse.collin@...aani.org>
To:	Andreas Schwab <schwab@...ux-m68k.org>,
	Jesper Juhl <jj@...osbits.net>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Possible array overrun in lzma_reset()

On 2011-01-23 Andreas Schwab wrote:
> Jesper Juhl <jj@...osbits.net> writes:
>
> > 787           probs = s->lzma.is_match[0];
> > At conditional (1): "i < 14134UL" taking true path
> > At conditional (2): "i < 14134UL" taking true path
> > At conditional (3): "i < 14134UL" taking true path
> > 788           for (i = 0; i < PROBS_TOTAL; ++i)
> > Event overrun-local: Overrunning static array of size 32 bytes at byte position 28266 by indexing pointer "probs" with index variable "i".
> > Event overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun.
> > 789                   probs[i] = RC_BIT_MODEL_TOTAL / 2;
> > ...
> >
> > I looked into the report and found that 's->lzma.is_match' is
> >       uint16_t is_match[STATES][POS_STATES_MAX]
> > where 'STATES' is '#define STATES 12' and 'POS_STATES_MAX' is '#define POS_STATES_MAX (1 << 4)'.
> >
> > So I think the checker has a point.
>
> The loop treats the part of the structure from is_match to the end as
> a single array of PROBS_TOTAL uint16_t (which it is, in effect).

Correct. The comment in the code tries to say it too:

    * All probabilities are initialized to the same value. This hack
    * makes the code smaller by avoiding a separate loop for each
    * probability array.

So there is no bug.

-- 
Lasse Collin  |  IRC: Larhzu @ IRCnet & Freenode
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ