Re: [PATCH v3] lzo: fix ip overrun during compress.

From: David Sterba
Date: Wed Dec 12 2018 - 07:03:51 EST

Next message: Dmitry V. Levin: "Re: [PATCH v5 13/25] m68k: add asm/syscall.h"
Previous message: Andrea Parri: "Re: [RFC PATCH 4/4] x86/TSC: Use RDTSCP"
In reply to: Yueyi Li: "[PATCH v3] lzo: fix ip overrun during compress."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 12, 2018 at 07:03:14AM +0000, Yueyi Li wrote:
> It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is
> point to the end of memory and which virtual address is 0xfffffffffffff000.
> Leading to a NULL pointer access during the get_unaligned_le32(ip).
>
> ip = x9 = 0x0000000000000009 is overflow.
>
> @@ -224,8 +224,8 @@ int lzo1x_1_compress(const unsigned char *in, size_t in_len,
>
> while (l > 20) {
> size_t ll = l <= (M4_MAX_OFFSET + 1) ? l : (M4_MAX_OFFSET + 1);
> - uintptr_t ll_end = (uintptr_t) ip + ll;
> - if ((ll_end + ((t + ll) >> 5)) <= ll_end)
> + // check for address space wraparound
> + if (((uintptr_t) ip + ll + ((t + ll) >> 5)) <= (uintptr_t) ip)
> break;

Please use the /* */ comment style and enhance the comment contents to
be more descriptive what overflows and how.

> BUILD_BUG_ON(D_SIZE * sizeof(lzo_dict_t) > LZO1X_1_MEM_COMPRESS);
> memset(wrkmem, 0, D_SIZE * sizeof(lzo_dict_t));
> --
> 2.7.4
>

Next message: Dmitry V. Levin: "Re: [PATCH v5 13/25] m68k: add asm/syscall.h"
Previous message: Andrea Parri: "Re: [RFC PATCH 4/4] x86/TSC: Use RDTSCP"
In reply to: Yueyi Li: "[PATCH v3] lzo: fix ip overrun during compress."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]