| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Sep 2020 16:26:50 +0200
From: Paul Cercueil <paul@...pouillou.net>
To: Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
Nick Terrell <terrelln@...com>
Cc: od@...c.me, linux-mips@...r.kernel.org,
linux-kernel@...r.kernel.org, Paul Cercueil <paul@...pouillou.net>
Subject: [PATCH v3 1/2] lib: decompress_unzstd: Limit output size
The zstd decompression code, as it is right now, will most likely fail
on 32-bit systems, as the default output buffer size causes the buffer's
end address to overflow.
Address this issue by setting a sane default to the default output size,
with a value that won't overflow the buffer's end address.
Signed-off-by: Paul Cercueil <paul@...pouillou.net>
---
Notes:
v2: Change limit to 1 GiB
v3: Compute size limit instead of using hardcoded value
lib/decompress_unzstd.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/decompress_unzstd.c b/lib/decompress_unzstd.c
index 0ad2c15479ed..790abc472f5b 100644
--- a/lib/decompress_unzstd.c
+++ b/lib/decompress_unzstd.c
@@ -178,8 +178,13 @@ static int INIT __unzstd(unsigned char *in_buf, long in_len,
int err;
size_t ret;
+ /*
+ * ZSTD decompression code won't be happy if the buffer size is so big
+ * that its end address overflows. When the size is not provided, make
+ * it as big as possible without having the end address overflow.
+ */
if (out_len == 0)
- out_len = LONG_MAX; /* no limit */
+ out_len = UINTPTR_MAX - (uintptr_t)out_buf;
if (fill == NULL && flush == NULL)
/*
--
2.28.0
Powered by blists - more mailing lists