From: Guo Xuenan <guoxuenan@huawei.com>
To: Gao Xiang <hsiangkao@linux.alibaba.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: Nick Terrell <terrelln@fb.com>, Chengyang Fan <cy.fan@huawei.com>,
"Yann Collet" <cyan@fb.com>,
"fangwei1@huawei.com" <fangwei1@huawei.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"syzbot+63d688f1d899c588fb71@syzkaller.appspotmail.com"
<syzbot+63d688f1d899c588fb71@syzkaller.appspotmail.com>,
"wangli74@huawei.com" <wangli74@huawei.com>
Subject: Re: [PATCH v3] lz4: fix LZ4_decompress_safe_partial read out of bound
Date: Wed, 6 Apr 2022 08:41:27 +0800 [thread overview]
Message-ID: <36ac1182-36d3-d6fa-6954-c7c6a2e1d968@huawei.com> (raw)
In-Reply-To: <YktxATidpH2A1QJu@B-P7TQMD6M-0146.local>
Hi all,
在 2022/4/5 6:28, Gao Xiang Write:
> On Mon, Apr 04, 2022 at 02:21:23PM -0700, Andrew Morton wrote:
>> On Sat, 2 Apr 2022 12:55:39 +0800 Gao Xiang <hsiangkao@linux.alibaba.com> wrote:
>>
>>> On Fri, Nov 19, 2021 at 06:23:24PM +0000, Nick Terrell wrote:
>>>>
>>>>> On Nov 11, 2021, at 2:50 AM, Guo Xuenan <guoxuenan@huawei.com> wrote:
>>>>>
>>>>> When partialDecoding, it is EOF if we've either, filled the output
>>>>> buffer or can't proceed with reading an offset for following match.
>>>>>
>>>>> In some extreme corner cases when compressed data is crusted corrupted,
>>>>> UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial
>>>>> may lead to read out of bound problem during decoding. lz4 upstream has
>>>>> fixed it [2] and this issue has been disscussed here [3] before.
>>>>>
>>>>> current decompression routine was ported from lz4 v1.8.3, bumping lib/lz4
>>>>> to v1.9.+ is certainly a huge work to be done later, so, we'd better fix
>>>>> it first.
>>>>>
>>>>> [1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/
>>>>> [2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad#
>>>>> [3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/
>>>>>
>>>>> Reported-by: syzbot+63d688f1d899c588fb71@syzkaller.appspotmail.com
>>>>> Cc: hsiangkao@linux.alibaba.com
>>>>> Cc: terrelln@fb.com
>>>>> Cc: cyan@fb.com
>>>>> Cc: cy.fan@huawei.com
>>>>> Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
>>>> Sorry I’m a bit late to the party, but this looks good to me!
>>>>
>>>> Reviewed-by: Nick Terrell <terrelln@fb.com>
>>> Acked-by: Gao Xiang <hsiangkao@linux.alibaba.com>
>>>
>>> Hi Andrew,
>>>
>>> This patch has already been pending for 2 release cycles.. Would you
>>> mind submitting it upstream? Or are there other concerns about this?
>> Sorry, I'd not noticed that this was from lz4 upstream.
>>
>> I'll put a cc:stable in there and shall send it upstream this week.
>>
>> In the changelog, can someone please explain what "crusted corrupted"
>> is saying?
Sorry for my missspelling, Gao Xiang is right, i mean "well-designed
corrupted".
> Er.. It sounds like "well-designed corrupted". I think it was a typo
> though.
>
> Thanks,
> Gao Xiang
> .
Thanks,
Guo Xuenan
.
prev parent reply other threads:[~2022-04-06 5:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-11 7:17 [PATCH] lz4: fix LZ4_decompress_safe_partial read out of bound Guo Xuenan
2021-11-11 8:50 ` [PATCH v2] " Guo Xuenan
2021-11-11 10:50 ` [PATCH v3] " Guo Xuenan
2021-11-19 18:23 ` Nick Terrell
2022-04-02 4:55 ` Gao Xiang
2022-04-04 21:21 ` Andrew Morton
2022-04-04 22:28 ` Gao Xiang
2022-04-06 0:41 ` Guo Xuenan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=36ac1182-36d3-d6fa-6954-c7c6a2e1d968@huawei.com \
--to=guoxuenan@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=cy.fan@huawei.com \
--cc=cyan@fb.com \
--cc=fangwei1@huawei.com \
--cc=hsiangkao@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+63d688f1d899c588fb71@syzkaller.appspotmail.com \
--cc=terrelln@fb.com \
--cc=wangli74@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.