| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181128135242.gy3avmbp2pdmjaka@twin.jikos.cz>
Date: Wed, 28 Nov 2018 14:52:42 +0100
From: David Sterba <dsterba@...e.cz>
To: Yueyi Li <liyueyi@...e.com>
Cc: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"w@....eu" <w@....eu>,
"donb@...uritymouse.com" <donb@...uritymouse.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
markus@...rhumer.com
Subject: Re: [PATCH v2] lzo: fix ip overrun during compress.
Adding Markus to to CC
On Wed, Nov 28, 2018 at 07:31:26AM +0000, Yueyi Li wrote:
> It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is
> point to the end of memory and which virtual address is 0xfffffffffffff000.
> Leading to a NULL pointer access during the get_unaligned_le32(ip).
So this could happen in practice in zram, but unlikely for other users
of lzo (like btrfs). I'm not sure but expect that the last page would
not be returned by allocator.
The fix is adding a few branches to code that's supposed to be as fast
as possible. The branches would be evaluated all the time while
protecting against one signle bad page address. This does not look like
a good performance tradeoff.
> +#define OVERFLOW_ADD_CHECK(a, b) \
> + (((a) + (b)) < (a))
I'm not sure if this is generally safe overflow check (never not
optimized out). Here it depends on the types of 'a' and 'b' that are
pointer (ip) and size_t (m_len). GCC has __builtin_add_overflow_p so
that one should be used where possible.
Powered by blists - more mailing lists