grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] lz4 overflow bug

From: Toomas Soome
Subject: Re: [PATCH 2/2] lz4 overflow bug
Date: Thu, 16 Apr 2015 07:51:50 +0300 
> On 16.04.2015, at 7:20, Andrei Borzenkov <address@hidden> wrote:
> 
> В Wed, 15 Apr 2015 23:51:16 +0300
> Toomas Soome <address@hidden> пишет:
> 
>> 
>> hi!
>> 
>> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.
> 
> You mean "length"? Or do you really mean pointer overflow?
> 
> Anyway in both cases it seems more reasonable to check when length is
> computed, not after overflow, when it is already too late.

integer overflow.  from 0xFFFFFFFF to 0x0.

> 
>> 
>> ---
>> grub-core/fs/zfs/zfs_lz4.c |    2 ++
>> 1 file changed, 2 insertions(+)
>> 
>> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
>> index 1212a89..ca6445d 100644
>> --- a/grub-core/fs/zfs/zfs_lz4.c
>> +++ b/grub-core/fs/zfs/zfs_lz4.c
>> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
>>              }
>>              /* copy literals */
>>              cpy = op + length;
>> +            if (cpy < op)
>> +                    goto _output_error;
>>              if ((cpy > oend - COPYLENGTH) ||
>>                  (ip + length > iend - COPYLENGTH)) {
>>                      if (cpy > oend)
> 
> 
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/grub-devel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]