lzo: properly check for overruns

The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by: "Don A. Bailey" <donb@securitymouse.com> Tested-by: "Don A. Bailey" <donb@securitymouse.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-06-21 01:00:53 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-06-23 14:12:01 -0400
commit: 206a81c18401c0cde6e579164f752c4b147324ce (patch)
tree: 9a8eae6e89068e372ace1ac0a13af5c76b09faf9 /lib
parent: 7171511eaec5bf23fb06078f59784a3a0626b38f (diff)
1 files changed, 41 insertions, 21 deletions
diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c
index 569985d522d5..8563081e8da3 100644
--- a/lib/lzo/lzo1x_decompress_safe.c
+++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,11 +19,31 @@
 #include <linux/lzo.h>
 #include "lzodefs.h"
-#define HAVE_IP(x)      ((size_t)(ip_end - ip) >= (size_t)(x))
+#define HAVE_IP(t, x)                                   \
-#define HAVE_OP(x)      ((size_t)(op_end - op) >= (size_t)(x))
+        (((size_t)(ip_end - ip) >= (size_t)(t + x)) &&  \
-#define NEED_IP(x)      if (!HAVE_IP(x)) goto input_overrun
+         (((t + x) >= t) && ((t + x) >= x)))
-#define NEED_OP(x)      if (!HAVE_OP(x)) goto output_overrun
-#define TEST_LB(m_pos)  if ((m_pos) < out) goto lookbehind_overrun
+#define HAVE_OP(t, x)                                   \
+        (((size_t)(op_end - op) >= (size_t)(t + x)) &&  \
+         (((t + x) >= t) && ((t + x) >= x)))
+#define NEED_IP(t, x)                                   \
+        do {                                            \
+                if (!HAVE_IP(t, x))                     \
+                        goto input_overrun;             \
+        } while (0)
+#define NEED_OP(t, x)                                   \
+        do {                                            \
+                if (!HAVE_OP(t, x))                     \
+                        goto output_overrun;            \
+        } while (0)
+#define TEST_LB(m_pos)                                  \
+        do {                                            \
+                if ((m_pos) < out)                      \
+                        goto lookbehind_overrun;        \
+        } while (0)
 int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
                          unsigned char *out, size_t *out_len)
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
                                        while (unlikely(*ip == 0)) {
                                                t += 255;
                                                ip++;
-                                                NEED_IP(1);
+                                                NEED_IP(1, 0);
                                        }
                                        t += 15 + *ip++;
                                }
                                t += 3;
 copy_literal_run:
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-                                if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
+                                if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
                                        const unsigned char *ie = ip + t;
                                        unsigned char *oe = op + t;
                                        do {
@@ -81,8 +101,8 @@ copy_literal_run:
                                } else
 #endif
                                {
-                                        NEED_OP(t);
+                                        NEED_OP(t, 0);
-                                        NEED_IP(t + 3);
+                                        NEED_IP(t, 3);
                                        do {
                                                *op++ = *ip++;
                                        } while (--t > 0);
@@ -95,7 +115,7 @@ copy_literal_run:
                                m_pos -= t >> 2;
                                m_pos -= *ip++ << 2;
                                TEST_LB(m_pos);
-                                NEED_OP(2);
+                                NEED_OP(2, 0);
                                op[0] = m_pos[0];
                                op[1] = m_pos[1];
                                op += 2;
@@ -119,10 +139,10 @@ copy_literal_run:
                                while (unlikely(*ip == 0)) {
                                        t += 255;
                                        ip++;
-                                        NEED_IP(1);
+                                        NEED_IP(1, 0);
                                }
                                t += 31 + *ip++;
-                                NEED_IP(2);
+                                NEED_IP(2, 0);
                        }
                        m_pos = op - 1;
                        next = get_unaligned_le16(ip);
@@ -137,10 +157,10 @@ copy_literal_run:
                                while (unlikely(*ip == 0)) {
                                        t += 255;
                                        ip++;
-                                        NEED_IP(1);
+                                        NEED_IP(1, 0);
                                }
                                t += 7 + *ip++;
-                                NEED_IP(2);
+                                NEED_IP(2, 0);
                        }
                        next = get_unaligned_le16(ip);
                        ip += 2;
@@ -154,7 +174,7 @@ copy_literal_run:
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
                if (op - m_pos >= 8) {
                        unsigned char *oe = op + t;
-                        if (likely(HAVE_OP(t + 15))) {
+                        if (likely(HAVE_OP(t, 15))) {
                                do {
                                        COPY8(op, m_pos);
                                        op += 8;
@@ -164,7 +184,7 @@ copy_literal_run:
                                        m_pos += 8;
                                } while (op < oe);
                                op = oe;
-                                if (HAVE_IP(6)) {
+                                if (HAVE_IP(6, 0)) {
                                        state = next;
                                        COPY4(op, ip);
                                        op += next;
@@ -172,7 +192,7 @@ copy_literal_run:
                                        continue;
                                }
                        } else {
-                                NEED_OP(t);
+                                NEED_OP(t, 0);
                                do {
                                        *op++ = *m_pos++;
                                } while (op < oe);
@@ -181,7 +201,7 @@ copy_literal_run:
 #endif
                {
                        unsigned char *oe = op + t;
-                        NEED_OP(t);
+                        NEED_OP(t, 0);
                        op[0] = m_pos[0];
                        op[1] = m_pos[1];
                        op += 2;
@@ -194,15 +214,15 @@ match_next:
                state = next;
                t = next;
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-                if (likely(HAVE_IP(6) && HAVE_OP(4))) {
+                if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
                        COPY4(op, ip);
                        op += t;
                        ip += t;
                } else
 #endif
                {
-                        NEED_IP(t + 3);
+                        NEED_IP(t, 3);
-                        NEED_OP(t);
+                        NEED_OP(t, 0);
                        while (t > 0) {
                                *op++ = *ip++;
                                t--;
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-06-21 01:00:53 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-06-23 14:12:01 -0400
commit	206a81c18401c0cde6e579164f752c4b147324ce (patch)
tree	9a8eae6e89068e372ace1ac0a13af5c76b09faf9 /lib
parent	7171511eaec5bf23fb06078f59784a3a0626b38f (diff)

diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c index 569985d522d5..8563081e8da3 100644 --- a/lib/lzo/lzo1x_decompress_safe.c +++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,11 +19,31 @@
19	#include <linux/lzo.h>	19	#include <linux/lzo.h>
20	#include "lzodefs.h"	20	#include "lzodefs.h"
21		21
22	#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x))	22	#define HAVE_IP(t, x) \
23	#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x))	23	(((size_t)(ip_end - ip) >= (size_t)(t + x)) && \
24	#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun	24	(((t + x) >= t) && ((t + x) >= x)))
25	#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun	25
26	#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun	26	#define HAVE_OP(t, x) \
		27	(((size_t)(op_end - op) >= (size_t)(t + x)) && \
		28	(((t + x) >= t) && ((t + x) >= x)))
		29
		30	#define NEED_IP(t, x) \
		31	do { \
		32	if (!HAVE_IP(t, x)) \
		33	goto input_overrun; \
		34	} while (0)
		35
		36	#define NEED_OP(t, x) \
		37	do { \
		38	if (!HAVE_OP(t, x)) \
		39	goto output_overrun; \
		40	} while (0)
		41
		42	#define TEST_LB(m_pos) \
		43	do { \
		44	if ((m_pos) < out) \
		45	goto lookbehind_overrun; \
		46	} while (0)
27		47
28	int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,	48	int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
29	unsigned char out, size_t out_len)	49	unsigned char out, size_t out_len)
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
58	while (unlikely(*ip == 0)) {	78	while (unlikely(*ip == 0)) {
59	t += 255;	79	t += 255;
60	ip++;	80	ip++;
61	NEED_IP(1);	81	NEED_IP(1, 0);
62	}	82	}
63	t += 15 + *ip++;	83	t += 15 + *ip++;
64	}	84	}
65	t += 3;	85	t += 3;
66	copy_literal_run:	86	copy_literal_run:
67	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)	87	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
68	if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {	88	if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
69	const unsigned char *ie = ip + t;	89	const unsigned char *ie = ip + t;
70	unsigned char *oe = op + t;	90	unsigned char *oe = op + t;
71	do {	91	do {
@@ -81,8 +101,8 @@ copy_literal_run:
81	} else	101	} else
82	#endif	102	#endif
83	{	103	{
84	NEED_OP(t);	104	NEED_OP(t, 0);
85	NEED_IP(t + 3);	105	NEED_IP(t, 3);
86	do {	106	do {
87	op++ = ip++;	107	op++ = ip++;
88	} while (--t > 0);	108	} while (--t > 0);
@@ -95,7 +115,7 @@ copy_literal_run:
95	m_pos -= t >> 2;	115	m_pos -= t >> 2;
96	m_pos -= *ip++ << 2;	116	m_pos -= *ip++ << 2;
97	TEST_LB(m_pos);	117	TEST_LB(m_pos);
98	NEED_OP(2);	118	NEED_OP(2, 0);
99	op[0] = m_pos[0];	119	op[0] = m_pos[0];
100	op[1] = m_pos[1];	120	op[1] = m_pos[1];
101	op += 2;	121	op += 2;
@@ -119,10 +139,10 @@ copy_literal_run:
119	while (unlikely(*ip == 0)) {	139	while (unlikely(*ip == 0)) {
120	t += 255;	140	t += 255;
121	ip++;	141	ip++;
122	NEED_IP(1);	142	NEED_IP(1, 0);
123	}	143	}
124	t += 31 + *ip++;	144	t += 31 + *ip++;
125	NEED_IP(2);	145	NEED_IP(2, 0);
126	}	146	}
127	m_pos = op - 1;	147	m_pos = op - 1;
128	next = get_unaligned_le16(ip);	148	next = get_unaligned_le16(ip);
@@ -137,10 +157,10 @@ copy_literal_run:
137	while (unlikely(*ip == 0)) {	157	while (unlikely(*ip == 0)) {
138	t += 255;	158	t += 255;
139	ip++;	159	ip++;
140	NEED_IP(1);	160	NEED_IP(1, 0);
141	}	161	}
142	t += 7 + *ip++;	162	t += 7 + *ip++;
143	NEED_IP(2);	163	NEED_IP(2, 0);
144	}	164	}
145	next = get_unaligned_le16(ip);	165	next = get_unaligned_le16(ip);
146	ip += 2;	166	ip += 2;
@@ -154,7 +174,7 @@ copy_literal_run:
154	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)	174	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
155	if (op - m_pos >= 8) {	175	if (op - m_pos >= 8) {
156	unsigned char *oe = op + t;	176	unsigned char *oe = op + t;
157	if (likely(HAVE_OP(t + 15))) {	177	if (likely(HAVE_OP(t, 15))) {
158	do {	178	do {
159	COPY8(op, m_pos);	179	COPY8(op, m_pos);
160	op += 8;	180	op += 8;
@@ -164,7 +184,7 @@ copy_literal_run:
164	m_pos += 8;	184	m_pos += 8;
165	} while (op < oe);	185	} while (op < oe);
166	op = oe;	186	op = oe;
167	if (HAVE_IP(6)) {	187	if (HAVE_IP(6, 0)) {
168	state = next;	188	state = next;
169	COPY4(op, ip);	189	COPY4(op, ip);
170	op += next;	190	op += next;
@@ -172,7 +192,7 @@ copy_literal_run:
172	continue;	192	continue;
173	}	193	}
174	} else {	194	} else {
175	NEED_OP(t);	195	NEED_OP(t, 0);
176	do {	196	do {
177	op++ = m_pos++;	197	op++ = m_pos++;
178	} while (op < oe);	198	} while (op < oe);
@@ -181,7 +201,7 @@ copy_literal_run:
181	#endif	201	#endif
182	{	202	{
183	unsigned char *oe = op + t;	203	unsigned char *oe = op + t;
184	NEED_OP(t);	204	NEED_OP(t, 0);
185	op[0] = m_pos[0];	205	op[0] = m_pos[0];
186	op[1] = m_pos[1];	206	op[1] = m_pos[1];
187	op += 2;	207	op += 2;
@@ -194,15 +214,15 @@ match_next:
194	state = next;	214	state = next;
195	t = next;	215	t = next;
196	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)	216	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
197	if (likely(HAVE_IP(6) && HAVE_OP(4))) {	217	if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
198	COPY4(op, ip);	218	COPY4(op, ip);
199	op += t;	219	op += t;
200	ip += t;	220	ip += t;
201	} else	221	} else
202	#endif	222	#endif
203	{	223	{
204	NEED_IP(t + 3);	224	NEED_IP(t, 3);
205	NEED_OP(t);	225	NEED_OP(t, 0);
206	while (t > 0) {	226	while (t > 0) {
207	op++ = ip++;	227	op++ = ip++;
208	t--;	228	t--;