lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2018 13:03:22 +0100 From: David Sterba <dsterba@...e.cz> To: Yueyi Li <liyueyi@...e.com> Cc: "markus@...rhumer.com" <markus@...rhumer.com>, "w@....eu" <w@....eu>, "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>, "dave.rodgman@....com" <dave.rodgman@....com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v3] lzo: fix ip overrun during compress. On Wed, Dec 12, 2018 at 07:03:14AM +0000, Yueyi Li wrote: > It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is > point to the end of memory and which virtual address is 0xfffffffffffff000. > Leading to a NULL pointer access during the get_unaligned_le32(ip). > > ip = x9 = 0x0000000000000009 is overflow. > > @@ -224,8 +224,8 @@ int lzo1x_1_compress(const unsigned char *in, size_t in_len, > > while (l > 20) { > size_t ll = l <= (M4_MAX_OFFSET + 1) ? l : (M4_MAX_OFFSET + 1); > - uintptr_t ll_end = (uintptr_t) ip + ll; > - if ((ll_end + ((t + ll) >> 5)) <= ll_end) > + // check for address space wraparound > + if (((uintptr_t) ip + ll + ((t + ll) >> 5)) <= (uintptr_t) ip) > break; Please use the /* */ comment style and enhance the comment contents to be more descriptive what overflows and how. > BUILD_BUG_ON(D_SIZE * sizeof(lzo_dict_t) > LZO1X_1_MEM_COMPRESS); > memset(wrkmem, 0, D_SIZE * sizeof(lzo_dict_t)); > -- > 2.7.4 >
Powered by blists - more mailing lists