kexec-tools/0022-uImage-fix-realloc-pointer-confusion.patch

From 0cc1891c4dc84a2cbbd1f126134ce51538f260dc Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@amazon.co.uk>
Date: Wed, 8 Mar 2017 22:41:08 +0000
Subject: [PATCH 22/45] uImage: fix realloc() pointer confusion

We carefully avoid the realloc() API trap by *not* using the
'ptr = realloc(ptr, new_size)' idiom which can lead to leaks on
failure. Very commendable, even though all we're going to do is
exit() on failure so it wouldn't have mattered.

What *does* matter is that we then ask zlib to continue
decompression... just past the end of the *old* buffer that just
got freed. Oops.

Apparently nobody has *ever* tested this code by booting a uImage
with a compressed payload larger than 10MiB.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 kexec/kexec-uImage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kexec/kexec-uImage.c b/kexec/kexec-uImage.c
index 5e24629880bc..667cd932fd27 100644
--- a/kexec/kexec-uImage.c
+++ b/kexec/kexec-uImage.c
@@ -210,9 +210,9 @@ static int uImage_gz_load(const unsigned char *buf, off_t len,
 				return -1;
 			}
 
+			uncomp_buf = new_buf;
 			strm.next_out = uncomp_buf + mem_alloc - inc_buf;
 			strm.avail_out = inc_buf;
-			uncomp_buf = new_buf;
 		} else {
 			printf("Error during decompression %d\n", ret);
 			return -1;
-- 
2.13.0
Accepting request 500203 from home:tiwai:branches:Kernel:kdump - Update to version 2.0.14 (bsc#1039937, FATE#320672, FATE#320671) Changelog: http://git.kernel.org/cgit/utils/kernel/kexec/kexec-tools.git/log/?id=refs/tags/v2.0.13..v2.0.14 - Backport upstream fixes (bsc#1039937, FATE#320672, FATE#320671) 0001-kexec-tools-2.0.14.git.patch 0002-ppc64-Reduce-number-of-ELF-LOAD-segments.patch 0003-kexec-Increase-the-upper-limit-for-RAM-segments.patch 0004-alpha-add-missing-__NR_kexec_load-definition.patch 0005-kexec-implemented-XEN-KEXEC-STATUS-to-determine-if-a.patch 0006-kexec-Remove-redundant-space-from-help-message.patch 0007-purgatory-Add-purgatory.map-and-purgatory.ro.sym-to-.patch 0008-kexec-Add-option-to-get-crash-kernel-region-size.patch 0009-crashdump-arm-Add-get_crash_kernel_load_range-functi.patch 0010-crashdump-arm64-Add-get_crash_kernel_load_range-func.patch 0011-crashdump-cris-Add-get_crash_kernel_load_range-funct.patch 0012-crashdump-ia64-Add-get_crash_kernel_load_range-funct.patch 0013-crashdump-m68k-Add-get_crash_kernel_load_range-funct.patch 0014-crashdump-mips-Add-get_crash_kernel_load_range-funct.patch 0015-crashdump-ppc-Add-get_crash_kernel_load_range-functi.patch 0016-crashdump-ppc64-Add-get_crash_kernel_load_range-func.patch 0017-crashdump-s390-Add-get_crash_kernel_load_range-funct.patch 0018-crashdump-sh-Add-get_crash_kernel_load_range-functio.patch 0019-gitignore-add-two-generated-files-in-purgatory.patch 0020-Only-print-debug-message-when-failed-to-serach-for-k.patch 0021-build_mem_phdrs-check-if-p_paddr-is-invalid.patch 0022-uImage-fix-realloc-pointer-confusion.patch 0023-uImage-Fix-uImage_load-for-little-endian-machines.patch 0024-uImage-Add-new-IH_ARCH_xxx-definitions.patch 0025-uImage-use-char-instead-of-unsigned-char-for-uImage_.patch 0026-uImage-use-char-instead-of-unsigned-char-for-uImage_.patch 0027-arm64-add-uImage-support.patch OBS-URL: https://build.opensuse.org/request/show/500203 OBS-URL: https://build.opensuse.org/package/show/Kernel:kdump/kexec-tools?expand=0&rev=83 2017-05-31 22:00:34 +02:00			`From 0cc1891c4dc84a2cbbd1f126134ce51538f260dc Mon Sep 17 00:00:00 2001`
			`From: David Woodhouse <dwmw@amazon.co.uk>`
			`Date: Wed, 8 Mar 2017 22:41:08 +0000`
			`Subject: [PATCH 22/45] uImage: fix realloc() pointer confusion`

			`We carefully avoid the realloc() API trap by not using the`
			`'ptr = realloc(ptr, new_size)' idiom which can lead to leaks on`
			`failure. Very commendable, even though all we're going to do is`
			`exit() on failure so it wouldn't have mattered.`

			`What does matter is that we then ask zlib to continue`
			`decompression... just past the end of the old buffer that just`
			`got freed. Oops.`

			`Apparently nobody has ever tested this code by booting a uImage`
			`with a compressed payload larger than 10MiB.`

			`Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>`
			`Signed-off-by: Simon Horman <horms@verge.net.au>`
			`---`
			`kexec/kexec-uImage.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/kexec/kexec-uImage.c b/kexec/kexec-uImage.c`
			`index 5e24629880bc..667cd932fd27 100644`
			`--- a/kexec/kexec-uImage.c`
			`+++ b/kexec/kexec-uImage.c`
			`@@ -210,9 +210,9 @@ static int uImage_gz_load(const unsigned char *buf, off_t len,`
			`return -1;`
			`}`

			`+ uncomp_buf = new_buf;`
			`strm.next_out = uncomp_buf + mem_alloc - inc_buf;`
			`strm.avail_out = inc_buf;`
			`- uncomp_buf = new_buf;`
			`} else {`
			`printf("Error during decompression %d\n", ret);`
			`return -1;`
			`--`
			`2.13.0`