Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp9009102imu; Tue, 4 Dec 2018 19:10:35 -0800 (PST) X-Google-Smtp-Source: AFSGD/UmqZbDEu8F7SBUbZC9yUeD4E5jm1mSx+sjFBFVv5OYSrs3ji1PmOHoeDElCg2QrZXM+ytK X-Received: by 2002:a63:2946:: with SMTP id p67mr19310750pgp.317.1543979435238; Tue, 04 Dec 2018 19:10:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543979435; cv=none; d=google.com; s=arc-20160816; b=hJwEDq8PJ5osXvrcYdQiSRywMDHi3YIAQry7M75tVASlihynucm4UjjwI+LLpRDHoz QDrBarVLCI7BUWEWGFmS6L/HQ2NVmNfggaOIHZXY+l7t+I/OG6Ix4r3yJtSoAupebqvz Co2wAsMYRdOxVEciY+obcIo7PFdASjwcQ/YeJnVPjGK6ZZdNxWLp8wIme0ru4BiGrYBb dDOTxVEU2pZJtfaxfYt4nVgryiiGoBKrJYbVDqU18vQiboXFerTELn98IEFnUMSmLTug adGUfbCULGbCRXM1SRABm/7Ezm7iOLjMECdVyB9ey0TdHLUTklHu2PuxJXMRsCx/xjqL Vp4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature; bh=vLbuKtsJRrhmz3LT2AQs2aRNciZ78LX7hNLENIVFBjU=; b=SjYYEQeMbgAJVpM6mvwZgxBLRqkNuA/1HfLmFByi4atVMHW44ROmeG6kfVxMCF76sa s1s2sa81UT9x8Zsza3b2CpDr0NCqdjJcjnRwEqJ6IqUXlevZayf8rMXG0I3Rv+WbjnA9 W/IFlSsUvmJOU02MAhoBiPe2k0TQ7Uln6saE82w7T9t1asnU4BCvJaJXtX5vx4fLGtkG zKOHI8OWBuL04nNUXPj/Q7Msx69UrPo1Th71TRGZg5OypSGZPagVpacw5tbc5HMcKKg3 rKAzBtfSL0jxZG9+EMO6GrKpaHE2V7o/EkW1LtHozeULej/eNF6Gz6UYpCyCWf2hW1bT STyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@live.com header.s=selector1 header.b=Rlnq7ede; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=live.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h129si20809023pfb.253.2018.12.04.19.10.19; Tue, 04 Dec 2018 19:10:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@live.com header.s=selector1 header.b=Rlnq7ede; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=live.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726810AbeLEDIB (ORCPT + 99 others); Tue, 4 Dec 2018 22:08:01 -0500 Received: from mail-oln040092009051.outbound.protection.outlook.com ([40.92.9.51]:6117 "EHLO NAM04-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725878AbeLEDIA (ORCPT ); Tue, 4 Dec 2018 22:08:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vLbuKtsJRrhmz3LT2AQs2aRNciZ78LX7hNLENIVFBjU=; b=Rlnq7ede8pUCH80o4IejO+/A/M9jdCemlP8QyeaKBaQGCvRV2flpiNGbNve8eHA3mMgQNmURS5i7EY3lLDOxaCoZBMVrqVJXhTVWvITnnJG4vsiSKGCsWMLTQzP/DLpBrGxj0htqFqSPVlU2wmMMn2yu/u5E9X9WL+CCfsbXPCHZKoxxyC0+PUDriqAEnyFsBKgx6LOb0b/rcQ0aDcZzgyJaY7vqEL2sIj0qMtbEZI6NmfWh+7Y9+mQIYc7rK0g+vXguVac2jLJyNuQ71zzHjJ3V/Teyksup33/eDoxZAXClJWvRuGTiaw5iOdzi2ceUAyggkcN0WIeWYBEz4H+6WA== Received: from BN3NAM04FT052.eop-NAM04.prod.protection.outlook.com (10.152.92.57) by BN3NAM04HT023.eop-NAM04.prod.protection.outlook.com (10.152.93.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1404.17; Wed, 5 Dec 2018 03:07:58 +0000 Received: from SN1PR13MB0304.namprd13.prod.outlook.com (10.152.92.56) by BN3NAM04FT052.mail.protection.outlook.com (10.152.92.241) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.17 via Frontend Transport; Wed, 5 Dec 2018 03:07:58 +0000 Received: from SN1PR13MB0304.namprd13.prod.outlook.com ([fe80::399e:4b0e:8423:5bad]) by SN1PR13MB0304.namprd13.prod.outlook.com ([fe80::399e:4b0e:8423:5bad%3]) with mapi id 15.20.1404.016; Wed, 5 Dec 2018 03:07:58 +0000 From: Yueyi Li To: "Markus F.X.J. Oberhumer" , "dsterba@suse.cz" , "gregkh@linuxfoundation.org" , "w@1wt.eu" , "donb@securitymouse.com" CC: "linux-kernel@vger.kernel.org" Subject: Re: [PATCH v2] lzo: fix ip overrun during compress. Thread-Topic: [PATCH v2] lzo: fix ip overrun during compress. Thread-Index: AQHUhuxfhCM/itRkZUmE23ES7mjh0qVlNWoAgAkytACAARlyAA== Date: Wed, 5 Dec 2018 03:07:58 +0000 Message-ID: References: <20181128135242.gy3avmbp2pdmjaka@twin.jikos.cz> <5C0654EE.5040001@oberhumer.com> In-Reply-To: <5C0654EE.5040001@oberhumer.com> Accept-Language: en-US, zh-CN Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: HK0PR04CA0002.apcprd04.prod.outlook.com (2603:1096:203:36::14) To SN1PR13MB0304.namprd13.prod.outlook.com (2a01:111:e400:c42a::30) x-incomingtopheadermarker: OriginalChecksum:66EF434305ECB96DDEC6DBC10391118EB9BE1E58D9FB71BC9F54884C5D131134;UpperCasedChecksum:4B58398381E8F205A32B563A83AF6321FF85099A27EEA46B9C81EA533A0C5BB7;SizeAsReceived:7784;Count:50 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [Yb5Ox/83svVV3pYk/IoNaSJKzAJwONhj] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN3NAM04HT023;6:kzjYXkEx/6DDyU1lBH6v/Kdh/exqlQule+FmqofjKmcd5Ylkh42tdZdKjyFv9zfEQKC/bDZHBh0eD07Vzs0uuN41j/KxFft8ouZw5p6dWNibvHIRq30Qo0I8EYTV0rC3GUI+cyAlnSm5awYcxYWZTkf+rxFpx2DS491b2xR5ptaVaG2tPGVY0El3xlfbZpjeC8uDZd+gv3Boi/5nHK6xtVIEA66ZFMyfv/UwNal5rDjfsSn4vt+nXEGqLsfxvbDK9V3lrEyejPI+7jWJhSodKPmh/OMQRDnTAOqdqDXSSYmDeLBaZ4nMOyp3ZkKVrhq/tggdSfFDA5LV/6RL6mtx22VgFhehNSpq6rIMbYbKAF2whkFo4FJqVpw2rrr+R5e+KWSfhdY75FzE368ZbozigLUh20q+Gr3yhNQIAaXNiqG7TF+oEkYwde+0glTwbujW+xfYq7vqEVqflZtG7GYHCg==;5:Zrh+/GMKD12Vti1Gnkm/2EEQjByZATnc7JKhsNUVkCFs42Ww6vfLzGM3nHVkhffIxx2BFdk66qjwonod0DYxxUmWFKHGPKBYNaWR0VDqh1X3MMa44Y8rNgOGPMHqelm/rQ9jryPpHlyjWwnJuwhJ9gcxu39jZVnmAbMxgAvpbLY=;7:fIgk411clJ7rI1/cscbKZhOXi8VoO/zIagq/lQWOdZ3oYi7L5/SkUVfaJzD+pTYsXYJ/BBrTh2/kvx8/rX18E2iSC5FmR8V7IyeGg5EOLRieL0iWN7dcS5m2pX8NQ93Ub41Qgc82Z5/U0Bz3LplMRw== x-incomingheadercount: 50 x-eopattributedmessage: 0 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101475)(1601125500)(1701031045);SRVR:BN3NAM04HT023; x-ms-traffictypediagnostic: BN3NAM04HT023: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(4566010)(82015058);SRVR:BN3NAM04HT023;BCL:0;PCL:0;RULEID:;SRVR:BN3NAM04HT023; x-microsoft-antispam-message-info: pFTvcd5vqCxIL8SKBEf/TWMMfMhhOV6U9kgvstQM7OqL1d15PUfTiRGuTNiSWEtf Content-Type: text/plain; charset="Windows-1252" Content-ID: <134CC919548DFB49A9286CA73E1EAB66@namprd13.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: live.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: f12efbb0-867f-4c93-8261-502eceebfafa X-MS-Exchange-CrossTenant-Network-Message-Id: 7f25aeed-6c9c-40de-b4b8-08d65a5edb0a X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: f12efbb0-867f-4c93-8261-502eceebfafa X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Dec 2018 03:07:58.3154 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3NAM04HT023 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Markus, Thanks for your review. On 2018/12/4 18:20, Markus F.X.J. Oberhumer wrote: > Hi, > > I don't think that address space wraparound is legal in C, but I > understand that we are in kernel land and if you really want to > compress the last virtual page 0xfffffffffffff000 the following > small patch should fix that dubious case. I guess the VA 0xfffffffffffff000 is available because KASLR be enabled. For this case we can see: crash> kmem 0xfffffffffffff000 PAGE PHYSICAL MAPPING INDEX CNT FLAGS ffffffbfffffffc0 1fffff000 ffffffff1655ecb9 7181fd5 2=20 8000000000064209 locked,uptodate,owner_priv_1,writeback,reclaim,swapbacked > This also avoids slowing down the the hot path of the compression > core function. > > Cheers, > Markus > > > > diff --git a/lib/lzo/lzo1x_compress.c b/lib/lzo/lzo1x_compress.c > index 236eb21167b5..959dec45f6fe 100644 > --- a/lib/lzo/lzo1x_compress.c > +++ b/lib/lzo/lzo1x_compress.c > @@ -224,8 +224,8 @@ int lzo1x_1_compress(const unsigned char *in, size_t = in_len, > =20 > while (l > 20) { > size_t ll =3D l <=3D (M4_MAX_OFFSET + 1) ? l : (M4_MAX_O= FFSET + 1); > - uintptr_t ll_end =3D (uintptr_t) ip + ll; > - if ((ll_end + ((t + ll) >> 5)) <=3D ll_end) > + // check for address space wraparound > + if (((uintptr_t) ip + ll + ((t + ll) >> 5)) <=3D (uintptr= _t) ip) > break; > BUILD_BUG_ON(D_SIZE * sizeof(lzo_dict_t) > LZO1X_1_MEM_C= OMPRESS); > memset(wrkmem, 0, D_SIZE * sizeof(lzo_dict_t)); I parsed panic ramdump and loaded CPU register values, can see: -000|lzo1x_1_do_compress( | in =3D 0xFFFFFFFFFFFFF000, | ?, | out =3D 0xFFFFFFFF2E2EE000, | out_len =3D 0xFFFFFF801CAA3510, | ?, | wrkmem =3D 0xFFFFFFFF4EBC0000) | dict =3D 0xFFFFFFFF4EBC0000 | op =3D 0x1 | ip =3D 0x9 | ii =3D 0x9 | in_end =3D 0x0 | ip_end =3D 0xFFFFFFFFFFFFFFEC | m_len =3D 0 | m_off =3D 1922 -001|lzo1x_1_compress( | in =3D 0xFFFFFFFFFFFFF000, | in_len =3D 0, | out =3D 0xFFFFFFFF2E2EE000, | out_len =3D 0x00000001616FB7D0, | wrkmem =3D 0xFFFFFFFF4EBC0000) | ip =3D 0xFFFFFFFFFFFFF000 | op =3D 0xFFFFFFFF2E2EE000 | l =3D 4096 | t =3D 0 | ll =3D 4096 ll =3D l =3D in_len =3D 4096 in lzo1x_1_compress, so your patch is working= =20 for this panic case, but, I`m not sure, is it possible that in =3D 0xFFFFFFFFFFFFF000 and in_len < 4096? Thanks, Yueyi