Message ID | patch-1.thread-41c676.git-41c676c2d153.your-ad-here.call-01675030179-ext-9637@work.hours |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp1918669wrn; Sun, 29 Jan 2023 15:13:42 -0800 (PST) X-Google-Smtp-Source: AK7set+DABEIhh1DqCLe6eLdT1+RnqOh9EoFKeMwQkKDe7+n9jwhaRAW7TLvT+lTbwLj8BRd0SGn X-Received: by 2002:aa7:c1cd:0:b0:4a2:45d2:7222 with SMTP id d13-20020aa7c1cd000000b004a245d27222mr2142487edp.22.1675034022534; Sun, 29 Jan 2023 15:13:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1675034022; cv=none; d=google.com; s=arc-20160816; b=zXzD7PJRD8kqejKuQCGBhiWrPCD9jUNjfXdilzmX7eu/Rwkkw4QAK/BKJVhGrZx2Uq 8XehHzE6fDVTUrrnw//meIWkFc0QV2oPPKzzPIruzc09GviXmD2QPzgYDVolE43PHO8d t0ocaHVPLpf47gyJeRR4Hl81acOgBi0Ep/qoQ5qCGvOJNBPegDs8tShvQgSTd0xCd/Jp JD9NhKKsddL9d+VVLfFODHTfc1/a31thGQd/ZX+gRAAq6IOa0bGwwiEPAZI28UPXAkSK KPRpAJ50nfjT7pPuliKEq36Tl9eLNWTaCoiZbMc5+UQiw8UaEyh+7ZDvHiprXGgURi0p H0RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:in-reply-to:content-disposition :references:message-id:subject:cc:to:from:date:dkim-signature; bh=OMMCR9YM3h0P+nItbhaCXa+zYLQ3fjfw4HoUK+f2l/4=; b=fPIcv9dr42FPmn9BifaW7XTdh48DrncsZC9qbF/He4ZQ+QIvk4zs8kWtRVDDhzyr6E m1cmcXKnyVdP36RgzziuPhnHr9R834irEnDCfgy6gdHF/LvpY1qQrH3W/loImxYpWMMJ QrVMGUjuw9Tz2b/UcK6vSl8QslfP4x1fGQybQNFF+aOlhqpAhtPH03JO3Xeiyco1yXbv f77+Kgt8TJ26rFXcFeRXKbEwaEHkCcgmsMd1keLnotW8mPjVqWKLjC2MAEBMLGT0YGs5 eJ76WyAzvTXmOmZ4cnKJqKlKIL+2sAaTZU/+Mzig73cwpWPf70gLJ6aez6T22RQCL9II kdtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=f9OIU1dW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k12-20020a50ce4c000000b0049e1bc53bd3si15806623edj.486.2023.01.29.15.13.17; Sun, 29 Jan 2023 15:13:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=f9OIU1dW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235450AbjA2Wrj (ORCPT <rfc822;n2h9z4@gmail.com> + 99 others); Sun, 29 Jan 2023 17:47:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230206AbjA2Wrh (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sun, 29 Jan 2023 17:47:37 -0500 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A114DF760; Sun, 29 Jan 2023 14:47:36 -0800 (PST) Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30TKnaL9022003; Sun, 29 Jan 2023 22:47:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=date : from : to : cc : subject : message-id : references : content-type : in-reply-to : mime-version; s=pp1; bh=OMMCR9YM3h0P+nItbhaCXa+zYLQ3fjfw4HoUK+f2l/4=; b=f9OIU1dWFsIsiz8gBud5i358MNJ+lYWXGsonRkDPi9lLCxtGL1oJ5a4KnlbeBMWW+Rjx kpsZQHTC8mtS2MqblttwhrGWxspD7K+Gv1seEdKdlMmbumLgzvsJ96TKFpN4TCQgSzmU 8iCO870yjRv2qedc7GLJEmBNAT7fjX4W7EkGOv0+s8L9irPZWtE06G30An9eBNi7eDJ1 bcXmQMO/SYiI03YJ7TnlVT04UQBh+8D56EqZajg75rrj3c0FQmlkw0Por52+99kuXBDw gwhNNdiblB43q0Y+LIwLyDPlfxhvxxZaDbfbva1VYB6tjhucv1/BB7UDuQU4g5WTMVtw 5Q== Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nddkk0awa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Jan 2023 22:47:31 +0000 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 30THRSmB012460; Sun, 29 Jan 2023 22:47:29 GMT Received: from smtprelay03.fra02v.mail.ibm.com ([9.218.2.224]) by ppma04ams.nl.ibm.com (PPS) with ESMTPS id 3ncvs7hh39-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Jan 2023 22:47:29 +0000 Received: from smtpav02.fra02v.mail.ibm.com (smtpav02.fra02v.mail.ibm.com [10.20.54.101]) by smtprelay03.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 30TMlPhl37355922 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 29 Jan 2023 22:47:25 GMT Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C19AD20043; Sun, 29 Jan 2023 22:47:25 +0000 (GMT) Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4790E20040; Sun, 29 Jan 2023 22:47:25 +0000 (GMT) Received: from localhost (unknown [9.171.0.52]) by smtpav02.fra02v.mail.ibm.com (Postfix) with ESMTPS; Sun, 29 Jan 2023 22:47:25 +0000 (GMT) Date: Sun, 29 Jan 2023 23:47:23 +0100 From: Vasily Gorbik <gor@linux.ibm.com> To: Heiko Carstens <hca@linux.ibm.com>, Alexander Egorenkov <egorenar@linux.ibm.com> Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>, Nick Terrell <terrelln@fb.com>, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mips@vger.kernel.org Subject: [PATCH 1/1] s390/decompressor: specify __decompress() buf len to avoid overflow Message-ID: <patch-1.thread-41c676.git-41c676c2d153.your-ad-here.call-01675030179-ext-9637@work.hours> References: <cover.thread-41c676.your-ad-here.call-01675030179-ext-9637@work.hours> Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <cover.thread-41c676.your-ad-here.call-01675030179-ext-9637@work.hours> X-Patchwork-Bot: notify X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ASnDTXQxj2UYr9zM9-ilXVR_DQUBcxpo X-Proofpoint-GUID: ASnDTXQxj2UYr9zM9-ilXVR_DQUBcxpo X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-29_11,2023-01-27_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 mlxscore=0 spamscore=0 clxscore=1015 suspectscore=0 bulkscore=0 phishscore=0 mlxlogscore=858 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301290224 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756400475441351178?= X-GMAIL-MSGID: =?utf-8?q?1756400475441351178?= |
Series |
s390: fix initrd corruption in decompressor with new zstd version
|
|
Commit Message
Vasily Gorbik
Jan. 29, 2023, 10:47 p.m. UTC
Historically calls to __decompress() didn't specify "out_len" parameter
on many architectures including s390, expecting that no writes beyond
uncompressed kernel image are performed. This has changed since commit
2aa14b1ab2c4 ("zstd: import usptream v1.5.2") which includes zstd library
commit 6a7ede3dfccb ("Reduce size of dctx by reutilizing dst buffer
(#2751)"). Now zstd decompression code might store literal buffer in
the unwritten portion of the destination buffer. Since "out_len" is
not set, it is considered to be unlimited and hence free to use for
optimization needs. On s390 this might corrupt initrd or ipl report
which are often placed right after the decompressor buffer. Luckily the
size of uncompressed kernel image is already known to the decompressor,
so to avoid the problem simply specify it in the "out_len" parameter.
Link: https://github.com/facebook/zstd/commit/6a7ede3dfccb
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
---
arch/s390/boot/decompressor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Hi Vasily,
thanks for the fix, tested on s390 + KVM + buildroot + linux-next.
Tested-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Regards
Alex
On Sun, Jan 29, 2023 at 11:47:23PM +0100, Vasily Gorbik wrote: > Historically calls to __decompress() didn't specify "out_len" parameter > on many architectures including s390, expecting that no writes beyond > uncompressed kernel image are performed. This has changed since commit > 2aa14b1ab2c4 ("zstd: import usptream v1.5.2") which includes zstd library > commit 6a7ede3dfccb ("Reduce size of dctx by reutilizing dst buffer > (#2751)"). Now zstd decompression code might store literal buffer in > the unwritten portion of the destination buffer. Since "out_len" is > not set, it is considered to be unlimited and hence free to use for > optimization needs. On s390 this might corrupt initrd or ipl report > which are often placed right after the decompressor buffer. Luckily the > size of uncompressed kernel image is already known to the decompressor, > so to avoid the problem simply specify it in the "out_len" parameter. > > Link: https://github.com/facebook/zstd/commit/6a7ede3dfccb > Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> > --- > arch/s390/boot/decompressor.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Applied, thanks!
diff --git a/arch/s390/boot/decompressor.c b/arch/s390/boot/decompressor.c index 090621b98d95..d762733a0753 100644 --- a/arch/s390/boot/decompressor.c +++ b/arch/s390/boot/decompressor.c @@ -81,6 +81,6 @@ void *decompress_kernel(void) void *output = (void *)decompress_offset; __decompress(_compressed_start, _compressed_end - _compressed_start, - NULL, NULL, output, 0, NULL, error); + NULL, NULL, output, vmlinux.image_size, NULL, error); return output; }