From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 28 Jun 2014 15:37:48 +0000 (-0400)
Subject: 3.14-stable patches
X-Git-Tag: v3.4.96~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21a1619e56e9b0118753773b6a453a63cbed931b;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	lz4-fix-another-possible-overrun.patch
---

diff --git a/queue-3.14/lz4-fix-another-possible-overrun.patch b/queue-3.14/lz4-fix-another-possible-overrun.patch
new file mode 100644
index 00000000000..aeeaeda4f0c
--- /dev/null
+++ b/queue-3.14/lz4-fix-another-possible-overrun.patch
@@ -0,0 +1,47 @@
+From 4148c1f67abf823099b2d7db6851e4aea407f5ee Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Jun 2014 16:59:01 -0400
+Subject: lz4: fix another possible overrun
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 4148c1f67abf823099b2d7db6851e4aea407f5ee upstream.
+
+There is one other possible overrun in the lz4 code as implemented by
+Linux at this point in time (which differs from the upstream lz4
+codebase, but will get synced at in a future kernel release.)  As
+pointed out by Don, we also need to check the overflow in the data
+itself.
+
+While we are at it, replace the odd error return value with just a
+"simple" -1 value as the return value is never used for anything other
+than a basic "did this work or not" check.
+
+Reported-by: "Don A. Bailey" <donb@securitymouse.com>
+Reported-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/lz4/lz4_decompress.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/lz4/lz4_decompress.c
++++ b/lib/lz4/lz4_decompress.c
+@@ -108,6 +108,8 @@ static int lz4_uncompress(const char *so
+ 		if (length == ML_MASK) {
+ 			for (; *ip == 255; length += 255)
+ 				ip++;
++			if (unlikely(length > (size_t)(length + *ip)))
++				goto _output_error;
+ 			length += *ip++;
+ 		}
+ 
+@@ -157,7 +159,7 @@ static int lz4_uncompress(const char *so
+ 
+ 	/* write overflow error detected */
+ _output_error:
+-	return (int) (-(((char *)ip) - source));
++	return -1;
+ }
+ 
+ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
diff --git a/queue-3.14/series b/queue-3.14/series
index 6d6398580fc..1d1bd5fe55b 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -103,3 +103,4 @@ btrfs-fix-scrub_print_warning-to-handle-skinny-metadata-extents.patch
 btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch
 btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch
 btrfs-allocate-raid-type-kobjects-dynamically.patch
+lz4-fix-another-possible-overrun.patch