The patch titled
Subject: lz4: fix LZ4_decompress_safe_partial read out of bound
has been added to the -mm tree. Its filename is
lz4-fix-lz4_decompress_safe_partial-read-out-of-bound.patch
This patch should soon appear at
https://ozlabs.org/~akpm/mmots/broken-out/lz4-fix-lz4_decompress_safe_partial-read-out-of-bound.patch
and later at
https://ozlabs.org/~akpm/mmotm/broken-out/lz4-fix-lz4_decompress_safe_partial-read-out-of-bound.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Guo Xuenan <guoxuenan@xxxxxxxxxx>
Subject: lz4: fix LZ4_decompress_safe_partial read out of bound
When partialDecoding, it is EOF if we've either, filled the output
buffer or can't proceed with reading an offset for following match.
In some extreme corner cases when compressed data is crusted corrupted,
UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial
may lead to read out of bound problem during decoding. lz4 upstream has
fixed it [2] and this issue has been disscussed here [3] before.
current decompression routine was ported from lz4 v1.8.3, bumping lib/lz4
to v1.9.+ is certainly a huge work to be done later, so, we'd better fix
it first.
[1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@xxxxxxxxxx/
[2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad#
[3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@xxxxxx/
Link: https://lkml.kernel.org/r/20211111105048.2006070-1-guoxuenan@xxxxxxxxxx
Reported-by: syzbot+63d688f1d899c588fb71@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Guo Xuenan <guoxuenan@xxxxxxxxxx>
Cc: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx>
Cc: Nick Terrell <terrelln@xxxxxx>
Cc: Yann Collet <cyan@xxxxxx>
Cc: Chengyang Fan <cy.fan@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
lib/lz4/lz4_decompress.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/lib/lz4/lz4_decompress.c~lz4-fix-lz4_decompress_safe_partial-read-out-of-bound
+++ a/lib/lz4/lz4_decompress.c
@@ -271,8 +271,12 @@ static FORCE_INLINE int LZ4_decompress_g
ip += length;
op += length;
- /* Necessarily EOF, due to parsing restrictions */
- if (!partialDecoding || (cpy == oend))
+ /* Necessarily EOF when !partialDecoding.
+ * When partialDecoding, it is EOF if we've either
+ * filled the output buffer or
+ * can't proceed with reading an offset for following match.
+ */
+ if (!partialDecoding || (cpy == oend) || (ip >= (iend - 2)))
break;
} else {
/* may overwrite up to WILDCOPYLENGTH beyond cpy */
_
Patches currently in -mm which might be from guoxuenan@xxxxxxxxxx are
lz4-fix-lz4_decompress_safe_partial-read-out-of-bound.patch
