From: Krzysztof Kolasa Date: Wed, 11 Dec 2019 14:35:39 +0000 (+0100) Subject: lz4: fix system halt at boot kernel on x86_64 X-Git-Tag: archive/raspbian/4.11.3+24-g14b62ab3e5-1+rpi1^2~55^2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=14b62ab3e5a79816edfc6dd3afce1bb68c106ac5;p=xen.git lz4: fix system halt at boot kernel on x86_64 Sometimes, on x86_64, decompression fails with the following error: Decompressing Linux... Decoding failed -- System halted This condition is not needed for a 64bit kernel(from commit d5e7caf): if( ... || (op + COPYLENGTH) > oend) goto _output_error macro LZ4_SECURE_COPY() tests op and does not copy any data when op exceeds the value. added by analogy to lz4_uncompress_unknownoutputsize(...) Signed-off-by: Krzysztof Kolasa [Linux commit 99b7e93c95c78952724a9783de6c78def8fbfc3f] The offending commit in our case is fcc17f96c277 ("LZ4 : fix the data abort issue"). Signed-off-by: Jan Beulich Acked-by: Andrew Cooper master commit: 5d90ff79542ab9c6eebe5c315c68c196bcf353b9 master date: 2019-12-09 14:02:35 +0100 --- diff --git a/xen/common/lz4/decompress.c b/xen/common/lz4/decompress.c index e8636e193a..bef3a9a99c 100644 --- a/xen/common/lz4/decompress.c +++ b/xen/common/lz4/decompress.c @@ -132,8 +132,12 @@ static int INIT lz4_uncompress(const unsigned char *source, unsigned char *dest, /* Error: request to write beyond destination buffer */ if (cpy > oend) goto _output_error; +#if LZ4_ARCH64 + if ((ref + COPYLENGTH) > oend) +#else if ((ref + COPYLENGTH) > oend || (op + COPYLENGTH) > oend) +#endif goto _output_error; LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); while (op < cpy) @@ -266,7 +270,13 @@ static int lz4_uncompress_unknownoutputsize(const unsigned char *source, if (cpy > oend - COPYLENGTH) { if (cpy > oend) goto _output_error; /* write outside of buf */ - +#if LZ4_ARCH64 + if ((ref + COPYLENGTH) > oend) +#else + if ((ref + COPYLENGTH) > oend || + (op + COPYLENGTH) > oend) +#endif + goto _output_error; LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); while (op < cpy) *op++ = *ref++;