From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 24 Jun 2014 12:50:44 +0000 (-0400)
Subject: 3.14-stable patches
X-Git-Tag: v3.4.95~14
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8e75e9ca66b0d433e21a005c7ca9bc2e0979ae30;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	lz4-ensure-length-does-not-wrap.patch
	lzo-properly-check-for-overruns.patch
---

diff --git a/queue-3.14/lz4-ensure-length-does-not-wrap.patch b/queue-3.14/lz4-ensure-length-does-not-wrap.patch
new file mode 100644
index 00000000000..1956e9676a4
--- /dev/null
+++ b/queue-3.14/lz4-ensure-length-does-not-wrap.patch
@@ -0,0 +1,31 @@
+From 206204a1162b995e2185275167b22468c00d6b36 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 20 Jun 2014 22:01:41 -0700
+Subject: lz4: ensure length does not wrap
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 206204a1162b995e2185275167b22468c00d6b36 upstream.
+
+Given some pathologically compressed data, lz4 could possibly decide to
+wrap a few internal variables, causing unknown things to happen.  Catch
+this before the wrapping happens and abort the decompression.
+
+Reported-by: "Don A. Bailey" <donb@securitymouse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/lz4/lz4_decompress.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/lz4/lz4_decompress.c
++++ b/lib/lz4/lz4_decompress.c
+@@ -72,6 +72,8 @@ static int lz4_uncompress(const char *so
+ 			len = *ip++;
+ 			for (; len == 255; length += 255)
+ 				len = *ip++;
++			if (unlikely(length > (size_t)(length + len)))
++				goto _output_error;
+ 			length += len;
+ 		}
+ 
diff --git a/queue-3.14/lzo-properly-check-for-overruns.patch b/queue-3.14/lzo-properly-check-for-overruns.patch
new file mode 100644
index 00000000000..18deff058fb
--- /dev/null
+++ b/queue-3.14/lzo-properly-check-for-overruns.patch
@@ -0,0 +1,178 @@
+From 206a81c18401c0cde6e579164f752c4b147324ce Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 20 Jun 2014 22:00:53 -0700
+Subject: lzo: properly check for overruns
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 206a81c18401c0cde6e579164f752c4b147324ce upstream.
+
+The lzo decompressor can, if given some really crazy data, possibly
+overrun some variable types.  Modify the checking logic to properly
+detect overruns before they happen.
+
+Reported-by: "Don A. Bailey" <donb@securitymouse.com>
+Tested-by: "Don A. Bailey" <donb@securitymouse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/lzo/lzo1x_decompress_safe.c |   62 ++++++++++++++++++++++++++--------------
+ 1 file changed, 41 insertions(+), 21 deletions(-)
+
+--- a/lib/lzo/lzo1x_decompress_safe.c
++++ b/lib/lzo/lzo1x_decompress_safe.c
+@@ -19,11 +19,31 @@
+ #include <linux/lzo.h>
+ #include "lzodefs.h"
+ 
+-#define HAVE_IP(x)      ((size_t)(ip_end - ip) >= (size_t)(x))
+-#define HAVE_OP(x)      ((size_t)(op_end - op) >= (size_t)(x))
+-#define NEED_IP(x)      if (!HAVE_IP(x)) goto input_overrun
+-#define NEED_OP(x)      if (!HAVE_OP(x)) goto output_overrun
+-#define TEST_LB(m_pos)  if ((m_pos) < out) goto lookbehind_overrun
++#define HAVE_IP(t, x)					\
++	(((size_t)(ip_end - ip) >= (size_t)(t + x)) &&	\
++	 (((t + x) >= t) && ((t + x) >= x)))
++
++#define HAVE_OP(t, x)					\
++	(((size_t)(op_end - op) >= (size_t)(t + x)) &&	\
++	 (((t + x) >= t) && ((t + x) >= x)))
++
++#define NEED_IP(t, x)					\
++	do {						\
++		if (!HAVE_IP(t, x))			\
++			goto input_overrun;		\
++	} while (0)
++
++#define NEED_OP(t, x)					\
++	do {						\
++		if (!HAVE_OP(t, x))			\
++			goto output_overrun;		\
++	} while (0)
++
++#define TEST_LB(m_pos)					\
++	do {						\
++		if ((m_pos) < out)			\
++			goto lookbehind_overrun;	\
++	} while (0)
+ 
+ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
+ 			  unsigned char *out, size_t *out_len)
+@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned
+ 					while (unlikely(*ip == 0)) {
+ 						t += 255;
+ 						ip++;
+-						NEED_IP(1);
++						NEED_IP(1, 0);
+ 					}
+ 					t += 15 + *ip++;
+ 				}
+ 				t += 3;
+ copy_literal_run:
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+-				if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
++				if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
+ 					const unsigned char *ie = ip + t;
+ 					unsigned char *oe = op + t;
+ 					do {
+@@ -81,8 +101,8 @@ copy_literal_run:
+ 				} else
+ #endif
+ 				{
+-					NEED_OP(t);
+-					NEED_IP(t + 3);
++					NEED_OP(t, 0);
++					NEED_IP(t, 3);
+ 					do {
+ 						*op++ = *ip++;
+ 					} while (--t > 0);
+@@ -95,7 +115,7 @@ copy_literal_run:
+ 				m_pos -= t >> 2;
+ 				m_pos -= *ip++ << 2;
+ 				TEST_LB(m_pos);
+-				NEED_OP(2);
++				NEED_OP(2, 0);
+ 				op[0] = m_pos[0];
+ 				op[1] = m_pos[1];
+ 				op += 2;
+@@ -119,10 +139,10 @@ copy_literal_run:
+ 				while (unlikely(*ip == 0)) {
+ 					t += 255;
+ 					ip++;
+-					NEED_IP(1);
++					NEED_IP(1, 0);
+ 				}
+ 				t += 31 + *ip++;
+-				NEED_IP(2);
++				NEED_IP(2, 0);
+ 			}
+ 			m_pos = op - 1;
+ 			next = get_unaligned_le16(ip);
+@@ -137,10 +157,10 @@ copy_literal_run:
+ 				while (unlikely(*ip == 0)) {
+ 					t += 255;
+ 					ip++;
+-					NEED_IP(1);
++					NEED_IP(1, 0);
+ 				}
+ 				t += 7 + *ip++;
+-				NEED_IP(2);
++				NEED_IP(2, 0);
+ 			}
+ 			next = get_unaligned_le16(ip);
+ 			ip += 2;
+@@ -154,7 +174,7 @@ copy_literal_run:
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+ 		if (op - m_pos >= 8) {
+ 			unsigned char *oe = op + t;
+-			if (likely(HAVE_OP(t + 15))) {
++			if (likely(HAVE_OP(t, 15))) {
+ 				do {
+ 					COPY8(op, m_pos);
+ 					op += 8;
+@@ -164,7 +184,7 @@ copy_literal_run:
+ 					m_pos += 8;
+ 				} while (op < oe);
+ 				op = oe;
+-				if (HAVE_IP(6)) {
++				if (HAVE_IP(6, 0)) {
+ 					state = next;
+ 					COPY4(op, ip);
+ 					op += next;
+@@ -172,7 +192,7 @@ copy_literal_run:
+ 					continue;
+ 				}
+ 			} else {
+-				NEED_OP(t);
++				NEED_OP(t, 0);
+ 				do {
+ 					*op++ = *m_pos++;
+ 				} while (op < oe);
+@@ -181,7 +201,7 @@ copy_literal_run:
+ #endif
+ 		{
+ 			unsigned char *oe = op + t;
+-			NEED_OP(t);
++			NEED_OP(t, 0);
+ 			op[0] = m_pos[0];
+ 			op[1] = m_pos[1];
+ 			op += 2;
+@@ -194,15 +214,15 @@ match_next:
+ 		state = next;
+ 		t = next;
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+-		if (likely(HAVE_IP(6) && HAVE_OP(4))) {
++		if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
+ 			COPY4(op, ip);
+ 			op += t;
+ 			ip += t;
+ 		} else
+ #endif
+ 		{
+-			NEED_IP(t + 3);
+-			NEED_OP(t);
++			NEED_IP(t, 3);
++			NEED_OP(t, 0);
+ 			while (t > 0) {
+ 				*op++ = *ip++;
+ 				t--;
diff --git a/queue-3.14/series b/queue-3.14/series
index 6250b9934f9..14806e51b42 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -55,3 +55,5 @@ iio-mxs-lradc-fix-divider.patch
 iio-adc-at91-signedness-bug-in-at91_adc_get_trigger_value_by_name.patch
 iio-fix-endianness-issue-in-ak8975_read_axis.patch
 iio-fix-two-mpl3115-issues-in-measurement-conversion.patch
+lzo-properly-check-for-overruns.patch
+lz4-ensure-length-does-not-wrap.patch