Illumos #4936 fix potential overflow in lz4

4936 lz4 could theoretically overflow a pointer with a certain input
Reviewed by: Saso Kiselkov <skiselkov.ml@gmail.com>
Reviewed by: Keith Wesolowski <keith.wesolowski@joyent.com>
Approved by: Gordon Ross <gordon.ross@nexenta.com>
Ported by: Tim Chase <tim@chase2k.com>

References:
  https://illumos.org/issues/4936
  https://github.com/illumos/illumos-gate/commit/58d0718

Porting notes:

This fixes the widely-reported "20-year-old vulnerability" in
LZO/LZ4 implementations which inherited said bug from the reference
implementation.

Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Tim Chase <tim@chase2k.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #2429

diff --git a/module/zfs/lz4.c b/module/zfs/lz4.c
index 497296e35129fd6fef21f15a90fe984e4267c043..5c3c6cdb173c18c648319830e6baf558d473674f 100644 (file)
--- a/module/zfs/lz4.c
+++ b/module/zfs/lz4.c
@@ -907,6 +907,9 @@ LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize,
                }
                /* copy literals */
                cpy = op + length;
+               /* CORNER-CASE: cpy might overflow. */
+               if (cpy < op)
+                       goto _output_error;     /* cpy was overflowed, bail! */
                if ((cpy > oend - COPYLENGTH) ||
                    (ip + length > iend - COPYLENGTH)) {
                        if (cpy > oend)