[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 3/3] lzo: properly check for overruns



On Wed, 2014-07-02 at 15:27 +0100, Jan Beulich wrote:
> From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> 
> The lzo decompressor can, if given some really crazy data, possibly
> overrun some variable types.  Modify the checking logic to properly
> detect overruns before they happen.
> 
> Reported-by: "Don A. Bailey" <donb@xxxxxxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> 
> Original Linux commit: 206a81c18401c0cde6e579164f752c4b147324ce.
> 
> This is CVE-2014-4607 (but not a security issue in Xen, since the code
> is only used for loading the Dom0 kernel and _inside_ an eventual DomU
> for loading its kernel).
> 
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

I've not reviewed it closely since it already went into Linux, but:
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.