ACK: [Saucy][Trusty][CVE-2014-4611][PATCH 1/1] lz4: ensure length does not wrap
Stefan Bader
stefan.bader at canonical.com
Mon Jun 30 08:47:36 UTC 2014
On 27.06.2014 18:56, Brad Figg wrote:
> From: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>
> CVE-2014-2611
>
> Given some pathologically compressed data, lz4 could possibly decide to
> wrap a few internal variables, causing unknown things to happen. Catch
> this before the wrapping happens and abort the decompression.
>
> Reported-by: "Don A. Bailey" <donb at securitymouse.com>
> Cc: stable <stable at vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> (cherry picked from commit 206204a1162b995e2185275167b22468c00d6b36)
> Signed-off-by: Brad Figg <brad.figg at canonical.com>
> ---
> lib/lz4/lz4_decompress.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
> index 411be80..6423f01 100644
> --- a/lib/lz4/lz4_decompress.c
> +++ b/lib/lz4/lz4_decompress.c
> @@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
> len = *ip++;
> for (; len == 255; length += 255)
> len = *ip++;
> + if (unlikely(length > (size_t)(length + len)))
> + goto _output_error;
> length += len;
> }
>
>
Looks to be doing what it claims
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20140630/32b617c0/attachment.sig>
More information about the kernel-team
mailing list