lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8f0dd1ed-8849-46ef-af2a-4baf4dc91422@linux.alibaba.com>
Date: Sun, 31 Dec 2023 09:14:11 +0800
From: Gao Xiang <hsiangkao@...ux.alibaba.com>
To: Edward Adam Davis <eadavis@...com>,
 syzbot+6c746eea496f34b3161d@...kaller.appspotmail.com
Cc: chao@...nel.org, huyue2@...lpad.com, jefflexu@...ux.alibaba.com,
 linux-erofs@...ts.ozlabs.org, linux-fsdevel@...r.kernel.org,
 linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
 xiang@...nel.org
Subject: Re: [PATCH] erofs: fix uninit-value in z_erofs_lz4_decompress



On 2023/12/29 19:09, Edward Adam Davis wrote:
> When LZ4 decompression fails, the number of bytes read from out should be
> inputsize plus the returned overflow value ret.
> 
> Reported-and-tested-by: syzbot+6c746eea496f34b3161d@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
>   fs/erofs/decompressor.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> index 021be5feb1bc..8ac3f96676c4 100644
> --- a/fs/erofs/decompressor.c
> +++ b/fs/erofs/decompressor.c
> @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
>   		print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
>   			       16, 1, src + inputmargin, rq->inputsize, true);
>   		print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
> -			       16, 1, out, rq->outputsize, true);
> +			       16, 1, out, (ret < 0 && rq->inputsize > 0) ?
> +			       (ret + rq->inputsize) : rq->outputsize, true);

It's incorrect since output decompressed buffer has no relationship
with `rq->inputsize` and `ret + rq->inputsize` is meaningless too.

Also, the issue was already fixed by avoiding debugging messages as
https://lore.kernel.org/r/20231227151903.2900413-1-hsiangkao@linux.alibaba.com

Thanks,
Gao Xiang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ