[3.13.y.z extended stable] Patch "lz4: fix another possible overrun" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue Jul 15 21:30:02 UTC 2014 

This is a note to let you know that I have just added a patch titled

    lz4: fix another possible overrun

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.5.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From efecbff70b6e4be850d46589c52827305cc28a86 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Date: Tue, 24 Jun 2014 16:59:01 -0400
Subject: lz4: fix another possible overrun

commit 4148c1f67abf823099b2d7db6851e4aea407f5ee upstream.

There is one other possible overrun in the lz4 code as implemented by
Linux at this point in time (which differs from the upstream lz4
codebase, but will get synced at in a future kernel release.)  As
pointed out by Don, we also need to check the overflow in the data
itself.

While we are at it, replace the odd error return value with just a
"simple" -1 value as the return value is never used for anything other
than a basic "did this work or not" check.

Reported-by: "Don A. Bailey" <donb at securitymouse.com>
Reported-by: Willy Tarreau <w at 1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 lib/lz4/lz4_decompress.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 99a03ac..b74da44 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -108,6 +108,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
 		if (length == ML_MASK) {
 			for (; *ip == 255; length += 255)
 				ip++;
+			if (unlikely(length > (size_t)(length + *ip)))
+				goto _output_error;
 			length += *ip++;
 		}

@@ -157,7 +159,7 @@ static int lz4_uncompress(const char *source, char *dest, int osize)

 	/* write overflow error detected */
 _output_error:
-	return (int) (-(((char *)ip) - source));
+	return -1;
 }

 static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
--
1.9.1

More information about the kernel-team mailing list