From patchwork Thu Dec 5 07:30:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 11274297 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6D9CF930 for ; Thu, 5 Dec 2019 07:31:14 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 52FF2224F8 for ; Thu, 5 Dec 2019 07:31:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 52FF2224F8 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iclaW-0006Vj-8U; Thu, 05 Dec 2019 07:30:12 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iclaV-0006Vd-30 for xen-devel@lists.xenproject.org; Thu, 05 Dec 2019 07:30:11 +0000 X-Inumbo-ID: 1125e7b2-1731-11ea-a0d2-bc764e2007e4 Received: from mx1.suse.de (unknown [195.135.220.15]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 1125e7b2-1731-11ea-a0d2-bc764e2007e4; Thu, 05 Dec 2019 07:30:10 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 5EC69B247; Thu, 5 Dec 2019 07:30:09 +0000 (UTC) From: Jan Beulich To: "xen-devel@lists.xenproject.org" References: <521c23e1-9d89-8f26-572c-1b6f6bc3cbaa@suse.com> Message-ID: <4d783acc-35be-1b6d-00c7-f1ce88abdbcc@suse.com> Date: Thu, 5 Dec 2019 08:30:24 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <521c23e1-9d89-8f26-572c-1b6f6bc3cbaa@suse.com> Content-Language: en-US Subject: [Xen-devel] [PATCH 1/3] lz4: refine commit 9143a6c55ef7 for the 64-bit case X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Stefano Stabellini , Julien Grall , Wei Liu , Konrad Wilk , George Dunlap , Andrew Cooper , Jeremi Piotrowski , Mark Pryor , Ian Jackson Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" I clearly went too far there: While the LZ4_WILDCOPY() instances indeed need prior guarding, LZ4_SECURECOPY() needs this only in the 32-bit case (where it simply aliases LZ4_WILDCOPY()). "cpy" can validly point (slightly) below "op" in these cases, due to cpy = op + length - (STEPSIZE - 4); where length can be as low as 0 and STEPSIZE is 8. However, instead of removing the check via "#if !LZ4_ARCH64", refine it such that it would also properly work in the 64-bit case, aborting decompression instead of continuing on bogus input. Reported-by: Mark Pryor Reported-by: Jeremi Piotrowski Signed-off-by: Jan Beulich Tested-by: Mark Pryor --- a/xen/common/lz4/decompress.c +++ b/xen/common/lz4/decompress.c @@ -147,7 +147,7 @@ static int INIT lz4_uncompress(const uns goto _output_error; continue; } - if (unlikely((unsigned long)cpy < (unsigned long)op)) + if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE - 4))) goto _output_error; LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */ @@ -279,7 +279,7 @@ static int lz4_uncompress_unknownoutputs goto _output_error; continue; } - if (unlikely((unsigned long)cpy < (unsigned long)op)) + if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE - 4))) goto _output_error; LZ4_SECURECOPY(ref, op, cpy); op = cpy; /* correction */