[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 2/2] lzo: check for length overrun in variable length encoding



On Tue, 2014-11-04 at 11:24 +0000, Ian Jackson wrote:
> Jan Beulich writes ("[PATCH 2/2] lzo: check for length overrun in variable 
> length encoding"):
> > This fix ensures that we never meet an integer overflow while adding
> > 255 while parsing a variable length encoding. It works differently from
> > commit 504f70b6 ("lzo: properly check for overruns") because instead of
> > ensuring that we don't overrun the input, which is tricky to guarantee
> > due to many assumptions in the code, it simply checks that the cumulated
> > number of 255 read cannot overflow by bounding this number.
> 
> AFAICT this decompressor is exposed to untrusted guest kernel images.

Only in mini-os context, I think. AIUI dom0 hosted libxc uses liblzo2.

Not 100% sure of that, but tools/libxc/Makefile's handling of
xc_dom_decompress_unsafe_lzo1x seems to confirm what I thought.

Aside from that, I presume you are trying to say that the description of
the fix suggests the code would be vulnerable to untrusted input? It
looks to me as if it is infact OK for untrusted input, but perhaps I've
misunderstood what it is doing.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.