| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181128040820.GC19711@1wt.eu>
Date: Wed, 28 Nov 2018 05:08:20 +0100
From: Willy Tarreau <w@....eu>
To: Yueyi Li <liyueyi@...e.com>
Cc: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"donb@...uritymouse.com" <donb@...uritymouse.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] lzo: fix ip overrun during compress.
Hi Yueyi,
On Tue, Nov 27, 2018 at 10:34:26AM +0000, Yueyi Li wrote:
> It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is
> point to the end of memory and which virtual address is 0xfffffffffffff000.
> Leading to a NULL pointer access during the get_unaligned_le32(ip).
Thanks for this report.
(...)
> diff --git a/lib/lzo/lzo1x_compress.c b/lib/lzo/lzo1x_compress.c
> index 236eb21..a0265a6 100644
> --- a/lib/lzo/lzo1x_compress.c
> +++ b/lib/lzo/lzo1x_compress.c
> @@ -17,6 +17,9 @@
> #include <linux/lzo.h>
> #include "lzodefs.h"
>
> +#define OVERFLOW_ADD_CHECK(a, b) \
> + ((size_t)~0 - (size_t)(a) < (size_t)(b) ? true : false)
> +
I think the test would be easier to grasp this way :
#define OVERFLOW_ADD_CHECK(a, b) \
((size_t)(b) >= (size_t)((void*)0 - (void *)(a)))
But the following should be more efficient since we build with
-fno-strict-overflow :
#define OVERFLOW_ADD_CHECK(a, b) \
(((a) + (b)) < (a))
Could you please recheck ?
Thanks,
Willy
Powered by blists - more mailing lists