lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 21 Feb 2023 14:16:17 +0100
From:   Mikhail Zaslonko <zaslonko@...ux.ibm.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     Heiko Carstens <hca@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>, zaslonko@...ux.ibm.com,
        LKML <linux-kernel@...r.kernel.org>
Subject: [PATCH 1/1] lib/zlib: DFLTCC deflate does not write all available bits for Z_NO_FLUSH

DFLTCC deflate with Z_NO_FLUSH might generate a corrupted stream when
the output buffer is not large enough to fit all the deflate output at
once. The problem takes place on closing the deflate block since
flush_pending() might leave some output bits not written.
Similar problem for software deflate with Z_BLOCK flush option (not
supported by kernel zlib deflate) has been fixed a while ago in userspace
zlib but the fix never got to the kernel.
Now flush_pending() flushes the bit buffer before copying out the byte buffer,
in order to really flush as much as possible.
Currently there are no users of DFLTCC deflate with Z_NO_FLUSH option in the
kernel so the problem remained hidden for a while.

This commit is based on the old zlib commit:
https://github.com/madler/zlib/commit/0b828b4

Signed-off-by: Mikhail Zaslonko <zaslonko@...ux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@...ux.ibm.com>
---
 lib/zlib_deflate/defutil.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/zlib_deflate/defutil.h b/lib/zlib_deflate/defutil.h
index 385333b22ec6..4ea40f5a279f 100644
--- a/lib/zlib_deflate/defutil.h
+++ b/lib/zlib_deflate/defutil.h
@@ -420,9 +420,11 @@ static inline void flush_pending(
 	z_streamp strm
 )
 {
+    unsigned len;
     deflate_state *s = (deflate_state *) strm->state;
-    unsigned len = s->pending;
 
+    bi_flush(s);
+    len = s->pending;
     if (len > strm->avail_out) len = strm->avail_out;
     if (len == 0) return;
 
-- 
2.37.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ