[U-Boot] [PATCH v2 0/6] handle compression buffer overflows

Kees Cook keescook at chromium.org
Fri Aug 16 16:59:10 CEST 2013


v2: added acks, various suggested cleanups

This series fixes gzip, lzma, and lzo to not overflow when writing
to output buffers. Without this, it might be possible for untrusted
compressed input to overflow the buffers used to hold the decompressed
image.

To catch these conditions, I added a series of compression tests available
in the sandbox build. Without the fixes in patches 3, 4, and 5, the
overflows are visible.

Thanks,

-Kees

Kees Cook (6):
      sandbox: add compression tests
      documentation: add more compression configs
      gzip: correctly bounds-check output buffer
      lzma: correctly bounds-check output buffer
      lzo: correctly bounds-check output buffer
      bootm: allow correct bounds-check of destination

 README                     |    9 ++
 common/cmd_bootm.c         |    2 +-
 include/configs/sandbox.h  |    5 +
 lib/gunzip.c               |    4 +-
 lib/lzma/LzmaTools.c       |    8 +-
 lib/lzo/lzo1x_decompress.c |    8 +-
 test/Makefile              |    1 +
 test/compression.c         |  335 ++++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 366 insertions(+), 6 deletions(-)
 create mode 100644 test/compression.c



More information about the U-Boot mailing list