[Lucid][CVE-2014-4608]PATCH 0/3] lzo: properly check for overruns
Luis Henriques
luis.henriques at canonical.com
Mon Jun 30 13:03:53 UTC 2014
On Mon, Jun 30, 2014 at 01:13:57PM +0100, Andy Whitcroft wrote:
> On Fri, Jun 27, 2014 at 06:04:13PM +0100, Luis Henriques wrote:
> > On Fri, Jun 27, 2014 at 10:52:13AM -0600, Tim Gardner wrote:
> > > Well, I hope you got it right 'cause thats a lot of new code. Were you
> > > able to test it ?
> > >
> > > --
> > > Tim Gardner tim.gardner at canonical.com
> >
> > No, I didn't tested them (other than build-testing).
> >
> > I believe 2.6.32 kernels don't support lzo compressed kernels, so I
> > would need find some other test case for that (shouldn't be too
> > difficult, I guess). If you want me to test them, just NAK the Lucid
> > patches and I'll see what I can do to test it next week.
> >
> > Anyway, lots of these changes are just moving code around and the
> > difference between the backports and the original commits are
> > virtually zero. But I share your concerns: I *really* hope I got this
> > right as well :-)
>
> When you say that we do not support LZO compressed kernels, does that
> imply we could just turn this code off instead of fixing it? Or indeed
> that it is already off?
>
What I meant was that, although LZO compression is supported on the
Lucid kernel, actually using this compression for creating and
extracting kernel images using this algorithm wasn't supported yet
(HAVE_KERNEL_LZO). Support for this was added later with commit:
commit 7dd65feb6c603e13eba501c34c662259ab38e70e
Author: Albin Tonnerre <albin.tonnerre at free-electrons.com>
Date: Fri Jan 8 14:42:42 2010 -0800
lib: add support for LZO-compressed kernels
> On a quick inspection it is hard to tell what it is consumed by sadly.
> But worth spending half an hour checking.
>
> -apw
A quick 'git grep' shows that there are two consumers of functions
lzo1x_1_compress() and lzo1x_decompress_safe(): fs/jffs2 and
ubuntu/compcache.
Looks like this last module (ramzswap) allows to run a quick test
verify LZO isn't broken. I'll do the following:
1. Run a Lucid system and enable a /dev/ramzswap0 device as the only
swap device for the system (disabling any other swap device set by
default on boot)
2. Load the system so that swap is used
3. Reduce the load so that swap space is back to 0
4. Do 2 and 3 for a while
I'll report back later after running this test for a while.
Cheers,
--
Luís
More information about the kernel-team
mailing list