lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f9d65118-13e1-8b08-c34c-690dca7b6bab@huawei.com>
Date:   Thu, 1 Jul 2021 10:32:51 +0800
From:   Chengyang Fan <cy.fan@...wei.com>
To:     Gao Xiang <hsiangkao@...ux.alibaba.com>
CC:     <akpm@...ux-foundation.org>, <terrelln@...com>,
        <sfr@...b.auug.org.au>, <thisisrast7@...il.com>,
        <linux-kernel@...r.kernel.org>,
        Yann Collet <yann.collet.73@...il.com>,
        <linux-erofs@...ts.ozlabs.org>
Subject: Re: [PATCH] lz4: fixs use-after-free Read in
 LZ4_decompress_safe_partial


On 2021/6/30 19:42, Gao Xiang wrote:
> (also +cc Yann as well as Nick..)
>
> Hi Chengyang,
>
> If I understand correctly, is this a manually produced fuzzed
> EROFS compressed data? If it's just a normal image, could you
> also share the original image?
Yeah, this is the generated fuzzed data, not the normal image.
> On Wed, Jun 30, 2021 at 11:23:58AM +0800, Chengyang Fan wrote:
>> ==================================================================
>> BUG: KASAN: use-after-free in get_unaligned_le16 include/linux/unaligned/access_ok.h:10 [inline]
>> BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
>> BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:281 [inline]
>> BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0xf50/0x1480 lib/lz4/lz4_decompress.c:465
>> Read of size 2 at addr ffff888017851000 by task kworker/u12:0/2056
>>
>> CPU: 0 PID: 2056 Comm: kworker/u12:0 Not tainted 5.10.40 #2
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> Workqueue: erofs_unzipd z_erofs_decompressqueue_work
>> Call Trace:
>>   __dump_stack lib/dump_stack.c:77 [inline]
>>   dump_stack+0x137/0x1be lib/dump_stack.c:118
>>   print_address_description+0x6c/0x640 mm/kasan/report.c:385
>>   __kasan_report mm/kasan/report.c:545 [inline]
>>   kasan_report+0x13d/0x1e0 mm/kasan/report.c:562
>>   get_unaligned_le16 include/linux/unaligned/access_ok.h:10 [inline]
>>   LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
>>   LZ4_decompress_generic lib/lz4/lz4_decompress.c:281 [inline]
>>   LZ4_decompress_safe_partial+0xf50/0x1480 lib/lz4/lz4_decompress.c:465
>>   z_erofs_lz4_decompress+0x839/0xc90 fs/erofs/decompressor.c:162
>>   z_erofs_decompress_generic fs/erofs/decompressor.c:291 [inline]
>>   z_erofs_decompress+0x57e/0xe10 fs/erofs/decompressor.c:344
>>   z_erofs_decompress_pcluster+0x13d1/0x2310 fs/erofs/zdata.c:880
>>   z_erofs_decompress_queue fs/erofs/zdata.c:958 [inline]
>>   z_erofs_decompressqueue_work+0xde/0x140 fs/erofs/zdata.c:969
>>   process_one_work+0x780/0xfc0 kernel/workqueue.c:2269
>>   worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
>>   kthread+0x39a/0x3c0 kernel/kthread.c:292
>>   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
>>
>> The buggy address belongs to the page:
>> page:00000000a79b76f1 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17851
>> flags: 0xfff00000000000()
>> raw: 00fff00000000000 ffffea000081b9c8 ffffea00006ac6c8 0000000000000000
>> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>>   ffff888017850f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>   ffff888017850f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> ffff888017851000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>                     ^
>>   ffff888017851080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>   ffff888017851100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ==================================================================
>> erofs: (device loop0): z_erofs_lz4_decompress: failed to decompress -4099 in[4096, 0] out[9000]
>>
>> Off-by-one error causes the above issue. In LZ4_decompress_generic(),
>> `iend = src + srcSize`. It means the valid address range should be
>> [src, iend - 1]. Therefore, when checking whether the reading is
>> out-of-bounds, it should be  `>= iend` rather than `> iend`.
>>
>> Reported-by: Hulk Robot <hulkci@...wei.com>
>> Signed-off-by: Chengyang Fan <cy.fan@...wei.com>
>> ---
>>   lib/lz4/lz4_decompress.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
>> index 926f4823d5ea..ec51837cd31f 100644
>> --- a/lib/lz4/lz4_decompress.c
>> +++ b/lib/lz4/lz4_decompress.c
>> @@ -234,7 +234,7 @@ static FORCE_INLINE int LZ4_decompress_generic(
>>   					length = oend - op;
>>   				}
>>   				if ((endOnInput)
>> -					&& (ip + length > iend)) {
>> +					&& (ip + length >= iend)) {
> I'm not sure it should be fixed as this.
>
> The current lz4 decompression code was from lz4 1.8.3, and I saw
> several following up fixes for incomplete input partial decoding
> in recent LZ4 upstream, you could check them out together. However,
> EROFS should never pass incomplete lz4 compressed data to the LZ4
> side unless it's somewhat a corrupted image on purpose.
> https://github.com/lz4/lz4/blame/dev/lib/lz4.c
>
> Thanks,
> Gao Xiang

This is the fault injection, not an error caused by normal EROFS.

Thanks for you advice, I will recheck the bugfixes of LZ4 upstream.


Thanks,

Chengyang Fan

>>   					/*
>>   					 * Error :
>>   					 * read attempt beyond
>> -- 
>> 2.18.0.huawei.25
> .

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ