Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1178342imu;
        Wed, 28 Nov 2018 05:54:32 -0800 (PST)
X-Google-Smtp-Source: AFSGD/XmImjjTSfa+pIWdVIXnx7bpT+p80aW8Xj6QtCzBd0Eg21csQrIMaoiIMpMzoj20h1nd6Bj
X-Received: by 2002:a65:5286:: with SMTP id y6mr33236474pgp.439.1543413272889;
        Wed, 28 Nov 2018 05:54:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543413272; cv=none;
        d=google.com; s=arc-20160816;
        b=QQ78pp2OLn8QpkEJ8U/lj1YcNGwfIwxInDOXA8XHkrHziIwDm9WWZ/NT0+dCuB1MbT
         5gpYEN2PFCd9getbZL7DDLP1IJkDTb+tqsM5KRWtkSZkLSzPs1NmxqPbWajn9ASB9dmZ
         eNv98eDS1HR7+Z3AzqmvoIJa8bcrjnrS++sSWodr7c4rfVKqWaKospSCSqhS2g2+EooG
         MIU+tQbsHcCRSV0/vWb9vDJykTCzVQtb/osqHCBo61fxczS5bfo+xIJm1+R44OII7fof
         JrkFxwEgsWptdGcVTKhz3w9v6Vh1EVRp8bzP3GLQdpcI/nh888tTH07L3QjHByIArNt+
         EDlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :reply-to:message-id:subject:cc:to:from:date;
        bh=dfpaNPa5GTYagnI5QgEeLDM6jU5Ls1Xnccls3F3vPxs=;
        b=kwwbT5ouodjTUdy+w2BXfFYSBQ/wlua8czShEb5J9hrwSGc8SYGW/+3LaX/NY4ZRzA
         a6DVhAsZ0qVjO1yXlP0rBMvmlgsGmYms2cItagAWEJtKuBHYeGwCChSi+pF3iV3Uux7u
         2CR+cTijJJkv+hBQkJUUb8fIZ4dG0IeOkO8L1/2kA9Kg3IfAlRei5rdz895tLKE/WcEV
         mbomMCRHcnJxlAE1q9Pv0cmCePc5Y1qibQIzGP2Bv6v9VK2nZSc7pHHYb4vMdvZhMrbe
         fYkULS4GWGqZFGZg2hYbE1eAEOhSjXeoCTvDjpYl8ye66Ys6grPd7WNnIny64mcSWvYW
         JtOA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d32si7510843pla.136.2018.11.28.05.54.17;
        Wed, 28 Nov 2018 05:54:32 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728827AbeK2Ayp (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Wed, 28 Nov 2018 19:54:45 -0500
Received: from mx2.suse.de ([195.135.220.15]:48616 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728348AbeK2Ayo (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Nov 2018 19:54:44 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id CC183AF6F;
        Wed, 28 Nov 2018 13:52:59 +0000 (UTC)
Received: by ds.suse.cz (Postfix, from userid 10065)
        id 07243DAC7E; Wed, 28 Nov 2018 14:52:42 +0100 (CET)
Date:   Wed, 28 Nov 2018 14:52:42 +0100
From:   David Sterba <dsterba@suse.cz>
To:     Yueyi Li <liyueyi@live.com>
Cc:     "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "w@1wt.eu" <w@1wt.eu>,
        "donb@securitymouse.com" <donb@securitymouse.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        markus@oberhumer.com
Subject: Re: [PATCH v2] lzo: fix ip overrun during compress.
Message-ID: <20181128135242.gy3avmbp2pdmjaka@twin.jikos.cz>
Reply-To: dsterba@suse.cz
Mail-Followup-To: dsterba@suse.cz, Yueyi Li <liyueyi@live.com>,
        "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "w@1wt.eu" <w@1wt.eu>,
        "donb@securitymouse.com" <donb@securitymouse.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        markus@oberhumer.com
References: <BLUPR13MB0289EFEB79833470EE62F48EDFD10@BLUPR13MB0289.namprd13.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BLUPR13MB0289EFEB79833470EE62F48EDFD10@BLUPR13MB0289.namprd13.prod.outlook.com>
User-Agent: NeoMutt/20180716
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Adding Markus to to CC

On Wed, Nov 28, 2018 at 07:31:26AM +0000, Yueyi Li wrote:
> It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is
> point to the end of memory and which virtual address is 0xfffffffffffff000.
> Leading to a NULL pointer access during the get_unaligned_le32(ip).

So this could happen in practice in zram, but unlikely for other users
of lzo (like btrfs). I'm not sure but expect that the last page would
not be returned by allocator.

The fix is adding a few branches to code that's supposed to be as fast
as possible. The branches would be evaluated all the time while
protecting against one signle bad page address. This does not look like
a good performance tradeoff.

> +#define OVERFLOW_ADD_CHECK(a, b)  \
> +		(((a) + (b)) < (a))

I'm not sure if this is generally safe overflow check (never not
optimized out). Here it depends on the types of 'a' and 'b' that are
pointer (ip) and size_t (m_len). GCC has __builtin_add_overflow_p so
that one should be used where possible.