[PATCH] lz4: fixs use-after-free Read in LZ4_decompress_safe_partial

From: Chengyang Fan <cy.fan@huawei.com>
To: <akpm@linux-foundation.org>, <terrelln@fb.com>,
	<sfr@canb.auug.org.au>, <hsiangkao@linux.alibaba.com>,
	<thisisrast7@gmail.com>
Cc: <linux-kernel@vger.kernel.org>, <cy.fan@huawei.com>
Subject: [PATCH] lz4: fixs use-after-free Read in LZ4_decompress_safe_partial
Date: Wed, 30 Jun 2021 11:23:58 +0800	[thread overview]
Message-ID: <20210630032358.949122-1-cy.fan@huawei.com> (raw)

==================================================================
BUG: KASAN: use-after-free in get_unaligned_le16 include/linux/unaligned/access_ok.h:10 [inline]
BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:281 [inline]
BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0xf50/0x1480 lib/lz4/lz4_decompress.c:465
Read of size 2 at addr ffff888017851000 by task kworker/u12:0/2056

CPU: 0 PID: 2056 Comm: kworker/u12:0 Not tainted 5.10.40 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Workqueue: erofs_unzipd z_erofs_decompressqueue_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:118
 print_address_description+0x6c/0x640 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report+0x13d/0x1e0 mm/kasan/report.c:562
 get_unaligned_le16 include/linux/unaligned/access_ok.h:10 [inline]
 LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
 LZ4_decompress_generic lib/lz4/lz4_decompress.c:281 [inline]
 LZ4_decompress_safe_partial+0xf50/0x1480 lib/lz4/lz4_decompress.c:465
 z_erofs_lz4_decompress+0x839/0xc90 fs/erofs/decompressor.c:162
 z_erofs_decompress_generic fs/erofs/decompressor.c:291 [inline]
 z_erofs_decompress+0x57e/0xe10 fs/erofs/decompressor.c:344
 z_erofs_decompress_pcluster+0x13d1/0x2310 fs/erofs/zdata.c:880
 z_erofs_decompress_queue fs/erofs/zdata.c:958 [inline]
 z_erofs_decompressqueue_work+0xde/0x140 fs/erofs/zdata.c:969
 process_one_work+0x780/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x39a/0x3c0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

The buggy address belongs to the page:
page:00000000a79b76f1 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17851
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea000081b9c8 ffffea00006ac6c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888017850f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888017850f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888017851000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888017851080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888017851100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
erofs: (device loop0): z_erofs_lz4_decompress: failed to decompress -4099 in[4096, 0] out[9000]

Off-by-one error causes the above issue. In LZ4_decompress_generic(),
`iend = src + srcSize`. It means the valid address range should be
[src, iend - 1]. Therefore, when checking whether the reading is
out-of-bounds, it should be  `>= iend` rather than `> iend`.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Chengyang Fan <cy.fan@huawei.com>
---
 lib/lz4/lz4_decompress.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 926f4823d5ea..ec51837cd31f 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -234,7 +234,7 @@ static FORCE_INLINE int LZ4_decompress_generic(
 					length = oend - op;
 				}
 				if ((endOnInput)
-					&& (ip + length > iend)) {
+					&& (ip + length >= iend)) {
 					/*
 					 * Error :
 					 * read attempt beyond
-- 
2.18.0.huawei.25

