From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7E0EC05027 for ; Sun, 29 Jan 2023 22:47:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235454AbjA2Wrk (ORCPT ); Sun, 29 Jan 2023 17:47:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230206AbjA2Wrh (ORCPT ); Sun, 29 Jan 2023 17:47:37 -0500 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A114DF760; Sun, 29 Jan 2023 14:47:36 -0800 (PST) Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30TKnaL9022003; Sun, 29 Jan 2023 22:47:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=date : from : to : cc : subject : message-id : references : content-type : in-reply-to : mime-version; s=pp1; bh=OMMCR9YM3h0P+nItbhaCXa+zYLQ3fjfw4HoUK+f2l/4=; b=f9OIU1dWFsIsiz8gBud5i358MNJ+lYWXGsonRkDPi9lLCxtGL1oJ5a4KnlbeBMWW+Rjx kpsZQHTC8mtS2MqblttwhrGWxspD7K+Gv1seEdKdlMmbumLgzvsJ96TKFpN4TCQgSzmU 8iCO870yjRv2qedc7GLJEmBNAT7fjX4W7EkGOv0+s8L9irPZWtE06G30An9eBNi7eDJ1 bcXmQMO/SYiI03YJ7TnlVT04UQBh+8D56EqZajg75rrj3c0FQmlkw0Por52+99kuXBDw gwhNNdiblB43q0Y+LIwLyDPlfxhvxxZaDbfbva1VYB6tjhucv1/BB7UDuQU4g5WTMVtw 5Q== Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nddkk0awa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Jan 2023 22:47:31 +0000 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 30THRSmB012460; Sun, 29 Jan 2023 22:47:29 GMT Received: from smtprelay03.fra02v.mail.ibm.com ([9.218.2.224]) by ppma04ams.nl.ibm.com (PPS) with ESMTPS id 3ncvs7hh39-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Jan 2023 22:47:29 +0000 Received: from smtpav02.fra02v.mail.ibm.com (smtpav02.fra02v.mail.ibm.com [10.20.54.101]) by smtprelay03.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 30TMlPhl37355922 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 29 Jan 2023 22:47:25 GMT Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C19AD20043; Sun, 29 Jan 2023 22:47:25 +0000 (GMT) Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4790E20040; Sun, 29 Jan 2023 22:47:25 +0000 (GMT) Received: from localhost (unknown [9.171.0.52]) by smtpav02.fra02v.mail.ibm.com (Postfix) with ESMTPS; Sun, 29 Jan 2023 22:47:25 +0000 (GMT) Date: Sun, 29 Jan 2023 23:47:23 +0100 From: Vasily Gorbik To: Heiko Carstens , Alexander Egorenkov Cc: Thomas Bogendoerfer , Nick Terrell , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mips@vger.kernel.org Subject: [PATCH 1/1] s390/decompressor: specify __decompress() buf len to avoid overflow Message-ID: References: Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Patchwork-Bot: notify X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ASnDTXQxj2UYr9zM9-ilXVR_DQUBcxpo X-Proofpoint-GUID: ASnDTXQxj2UYr9zM9-ilXVR_DQUBcxpo X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-29_11,2023-01-27_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 mlxscore=0 spamscore=0 clxscore=1015 suspectscore=0 bulkscore=0 phishscore=0 mlxlogscore=858 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301290224 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Historically calls to __decompress() didn't specify "out_len" parameter on many architectures including s390, expecting that no writes beyond uncompressed kernel image are performed. This has changed since commit 2aa14b1ab2c4 ("zstd: import usptream v1.5.2") which includes zstd library commit 6a7ede3dfccb ("Reduce size of dctx by reutilizing dst buffer (#2751)"). Now zstd decompression code might store literal buffer in the unwritten portion of the destination buffer. Since "out_len" is not set, it is considered to be unlimited and hence free to use for optimization needs. On s390 this might corrupt initrd or ipl report which are often placed right after the decompressor buffer. Luckily the size of uncompressed kernel image is already known to the decompressor, so to avoid the problem simply specify it in the "out_len" parameter. Link: https://github.com/facebook/zstd/commit/6a7ede3dfccb Signed-off-by: Vasily Gorbik --- arch/s390/boot/decompressor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/s390/boot/decompressor.c b/arch/s390/boot/decompressor.c index 090621b98d95..d762733a0753 100644 --- a/arch/s390/boot/decompressor.c +++ b/arch/s390/boot/decompressor.c @@ -81,6 +81,6 @@ void *decompress_kernel(void) void *output = (void *)decompress_offset; __decompress(_compressed_start, _compressed_end - _compressed_start, - NULL, NULL, output, 0, NULL, error); + NULL, NULL, output, vmlinux.image_size, NULL, error); return output; } -- 2.38.1