From: Chengyang Fan <cy.fan@huawei.com>
To: <akpm@linux-foundation.org>, <terrelln@fb.com>,
<sfr@canb.auug.org.au>, <hsiangkao@linux.alibaba.com>,
<thisisrast7@gmail.com>
Cc: <linux-kernel@vger.kernel.org>, <cy.fan@huawei.com>
Subject: [PATCH] lz4: fixs use-after-free Read in LZ4_decompress_safe_partial
Date: Wed, 30 Jun 2021 11:23:58 +0800 [thread overview]
Message-ID: <20210630032358.949122-1-cy.fan@huawei.com> (raw)
==================================================================
BUG: KASAN: use-after-free in get_unaligned_le16 include/linux/unaligned/access_ok.h:10 [inline]
BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:281 [inline]
BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0xf50/0x1480 lib/lz4/lz4_decompress.c:465
Read of size 2 at addr ffff888017851000 by task kworker/u12:0/2056
CPU: 0 PID: 2056 Comm: kworker/u12:0 Not tainted 5.10.40 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Workqueue: erofs_unzipd z_erofs_decompressqueue_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x137/0x1be lib/dump_stack.c:118
print_address_description+0x6c/0x640 mm/kasan/report.c:385
__kasan_report mm/kasan/report.c:545 [inline]
kasan_report+0x13d/0x1e0 mm/kasan/report.c:562
get_unaligned_le16 include/linux/unaligned/access_ok.h:10 [inline]
LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
LZ4_decompress_generic lib/lz4/lz4_decompress.c:281 [inline]
LZ4_decompress_safe_partial+0xf50/0x1480 lib/lz4/lz4_decompress.c:465
z_erofs_lz4_decompress+0x839/0xc90 fs/erofs/decompressor.c:162
z_erofs_decompress_generic fs/erofs/decompressor.c:291 [inline]
z_erofs_decompress+0x57e/0xe10 fs/erofs/decompressor.c:344
z_erofs_decompress_pcluster+0x13d1/0x2310 fs/erofs/zdata.c:880
z_erofs_decompress_queue fs/erofs/zdata.c:958 [inline]
z_erofs_decompressqueue_work+0xde/0x140 fs/erofs/zdata.c:969
process_one_work+0x780/0xfc0 kernel/workqueue.c:2269
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
kthread+0x39a/0x3c0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
The buggy address belongs to the page:
page:00000000a79b76f1 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17851
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea000081b9c8 ffffea00006ac6c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888017850f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888017850f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888017851000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888017851080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888017851100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
erofs: (device loop0): z_erofs_lz4_decompress: failed to decompress -4099 in[4096, 0] out[9000]
Off-by-one error causes the above issue. In LZ4_decompress_generic(),
`iend = src + srcSize`. It means the valid address range should be
[src, iend - 1]. Therefore, when checking whether the reading is
out-of-bounds, it should be `>= iend` rather than `> iend`.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Chengyang Fan <cy.fan@huawei.com>
---
lib/lz4/lz4_decompress.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 926f4823d5ea..ec51837cd31f 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -234,7 +234,7 @@ static FORCE_INLINE int LZ4_decompress_generic(
length = oend - op;
}
if ((endOnInput)
- && (ip + length > iend)) {
+ && (ip + length >= iend)) {
/*
* Error :
* read attempt beyond
--
2.18.0.huawei.25
next reply other threads:[~2021-06-30 2:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-30 3:23 Chengyang Fan [this message]
2021-06-30 11:42 ` [PATCH] lz4: fixs use-after-free Read in LZ4_decompress_safe_partial Gao Xiang
2021-06-30 17:49 ` Nick Terrell
2021-07-01 2:34 ` Chengyang Fan
2021-07-01 2:32 ` Chengyang Fan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210630032358.949122-1-cy.fan@huawei.com \
--to=cy.fan@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=hsiangkao@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=terrelln@fb.com \
--cc=thisisrast7@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).