t; place, as part of commit "Fix gunzip to work for any gziped uImage size".
>
> This patch is similar to the earlier b75650d84d4b "gzip: correctly
> bounds-check output buffer", which corrected a similar issue for
> s.avail_out.
>
> Cc: Catalin Radu
> Cc: K
On Tue, Apr 15, 2014 at 10:27 AM, Kees Cook wrote:
> On Mon, Apr 14, 2014 at 10:48 PM, Matthias Weißer wrote:
>> Am 14.04.2014 17:38, schrieb Kees Cook:
>>
>>> On Mon, Apr 14, 2014 at 1:51 AM, Matthias Weißer
>>> wrote:
>>>>
>>>> Am
The LZO decompressor wasn't initializing the maximum output size, which
meant it would fail to decompress most of the time.
Reported-by: Matthias Weißer
Signed-off-by: Kees Cook
Tested-by: Matthias Weißer
---
common/cmd_bootm.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
On Mon, Apr 14, 2014 at 10:48 PM, Matthias Weißer wrote:
> Am 14.04.2014 17:38, schrieb Kees Cook:
>
>> On Mon, Apr 14, 2014 at 1:51 AM, Matthias Weißer
>> wrote:
>>>
>>> Am 14.04.2014 08:09, schrieb Matthias Weißer:
>>>
>>>> Hi Wolf
to RAM and
>> then directly executing it without copying it to flash. It seems that
>> the flash device (EN29GL256H) is then in some a mode (maybe auto-select)
>> which prevents it from normal read operations which doesn't allow the
>> flash driver of the OS come up. We
On Fri, Nov 8, 2013 at 4:04 AM, Michal Simek wrote:
> Hi Kees,
>
> On 08/16/2013 04:59 PM, Kees Cook wrote:
>> The output buffer size must not be reset by the gzip decoder or there
>> is a risk of overflowing memory during decompression.
>>
>> Signed-off-by: Ke
:6: warning: cast to pointer from integer of different size
> [-Wint-to-pointer-cast]
> cmd_ximg.c:225:14: warning: 'hdr' may be used uninitialized in this function
> [-Wuninitialized]
>
> Signed-off-by: Simon Glass
Acked-by: Kees Cook
Thanks! You beat me to it. :)
Hi,
Can someone commit this series? It's been fully acked now...
Thanks,
-Kees
On Fri, Aug 16, 2013 at 7:59 AM, Kees Cook wrote:
> v2: added acks, various suggested cleanups
>
> This series fixes gzip, lzma, and lzo to not overflow when writing
> to output buffers. Without
This adds the "test_compression" command when building the sandbox. This
tests the existing compression and decompression routines for simple
sanity and for buffer overflow conditions.
Signed-off-by: Kees Cook
---
v2:
- updates, suggested by Simon Glass:
- replace license text wi
This adds the missing compression config items to the README.
Signed-off-by: Kees Cook
---
v2:
- adjusted language slightly, thanks to Simon Glass
---
README |9 +
1 file changed, 9 insertions(+)
diff --git a/README b/README
index 3918807..6485350 100644
--- a/README
+++ b/README
The output buffer size must be correctly passed to the lzma decoder or
there is a risk of overflowing memory during decompression. Switching
to the LZMA_FINISH_END mode means nothing is left in an unknown state
once the buffer becomes full.
Signed-off-by: Kees Cook
Acked-by: Simon Glass
While nothing presently examines the destination size, it should at
least be correct so that future users of sys_mapmem() will not be
surprised. Without this, it might be possible to overflow memory.
Signed-off-by: Kees Cook
Acked-by: Simon Glass
---
common/cmd_bootm.c |2 +-
1 file
series of compression tests available
in the sandbox build. Without the fixes in patches 3, 4, and 5, the
overflows are visible.
Thanks,
-Kees
Kees Cook (6):
sandbox: add compression tests
documentation: add more compression configs
gzip: correctly bounds-check output buffer
This checks the size of the output buffer and fails if it was going to
overflow the buffer during lzo decompression.
Signed-off-by: Kees Cook
Acked-by: Simon Glass
---
lib/lzo/lzo1x_decompress.c |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/lzo
The output buffer size must not be reset by the gzip decoder or there
is a risk of overflowing memory during decompression.
Signed-off-by: Kees Cook
Acked-by: Simon Glass
---
lib/gunzip.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/gunzip.c b/lib/gunzip.c
On Thu, Aug 15, 2013 at 10:19 AM, Kees Cook wrote:
> On Wed, Aug 14, 2013 at 10:30 AM, Simon Glass wrote:
>> On Mon, Aug 12, 2013 at 4:48 PM, Kees Cook wrote:
>>> This adds the "test_compression" command when building the sandbox. This
>>> tests the e
On Thu, Aug 15, 2013 at 12:32 PM, Simon Glass wrote:
> Hi Kees,
>
> On Thu, Aug 15, 2013 at 11:19 AM, Kees Cook wrote:
>> On Wed, Aug 14, 2013 at 10:30 AM, Simon Glass wrote:
>>> Hi Kees,
>>>
>>> On Mon, Aug 12, 2013 at 4:48 PM, Kees Cook wrote:
>
On Wed, Aug 14, 2013 at 10:30 AM, Simon Glass wrote:
> Hi Kees,
>
> On Mon, Aug 12, 2013 at 4:48 PM, Kees Cook wrote:
>> This adds the "test_compression" command when building the sandbox. This
>> tests the existing compression and decompression routines for
[sending, now subscribed so mailman won't yell at me]
This series fixes gzip, lzma, and lzo to not overflow when writing
to output buffers. Without this, it might be possible for untrusted
compressed input to overflow the buffers used to hold the decompressed
image.
To catch these conditions, I a
This adds the "test_compression" command when building the sandbox. This
tests the existing compression and decompression routines for simple
sanity and for buffer overflow conditions.
Signed-off-by: Kees Cook
---
include/configs/sandbox.h |5 +
test/Makefile |
This passes the actual memory allocation size for the destination to the
decompression routines, avoiding potential memory overflows.
Signed-off-by: Kees Cook
---
common/cmd_bootm.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
This adds the missing compression config items to the README.
Signed-off-by: Kees Cook
---
README |9 +
1 file changed, 9 insertions(+)
diff --git a/README b/README
index 5c343da..247b8f3 100644
--- a/README
+++ b/README
@@ -1669,6 +1669,10 @@ CBFS (Coreboot Filesystem) support
The output buffer size must be correctly passed to the lzma decoder or
there is a risk of overflowing memory during decompression. Switching
to the LZMA_FINISH_END mode means nothing is left in an unknown state
once the buffer becomes full.
Signed-off-by: Kees Cook
---
lib/lzma/LzmaTools.c
This checks the size of the output buffer and fails if it was going to
overflow the buffer during lzo decompression.
Signed-off-by: Kees Cook
---
lib/lzo/lzo1x_decompress.c |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo
The output buffer size not be reset by the gzip decoder or there is a
risk of overflowing memory during decompression.
Signed-off-by: Kees Cook
---
lib/gunzip.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/gunzip.c b/lib/gunzip.c
index 99a8ab0..682a05f 100644
This series fixes gzip, lzma, and lzo to not overflow when writing
to output buffers. Without this, it might be possible for untrusted
compressed input to overflow the buffers used to hold the decompressed
image.
To catch these conditions, I added a series of compression tests available
in the san
26 matches
Mail list logo
