Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp272690pxj; Thu, 13 May 2021 04:44:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJysfnWrqDUUGAJ3a8QhW0pU57GH/nPNNuPPxrzHN1sBfQZkJvaeeKfFzWia0iYGS6WcqvPJ X-Received: by 2002:a6b:f30d:: with SMTP id m13mr30520618ioh.139.1620906282606; Thu, 13 May 2021 04:44:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620906282; cv=none; d=google.com; s=arc-20160816; b=07uq2yEXvD+ld4OH1+vN277JeK6/kXVYhUa3EEFQbShaFuMaSPB5oXWR/DkJPiqT4R RnVAfZOrctepbx1ks0hJILZuwMqnM9k9x4hgFD/TwQS5jimkD9RV7D6DusTLg1s3nW3Q cKPcFam+i6Dejt08CM2VUhSzuZ6YzhbJ7qqLjjITkkdOjNyzpzUpbrkMvGGQa8bSf2dG djPH7LtoKULC3tIGVfBRRN41AZN2V8PVmaVLf6L4Sq+1IkeI1CPxm1K25BIkloX5u5st 34EV0xgFftkg3SCfs+38FQ0vtSCMXkRRgaLLpddK/g+LArapVN+0K/cEV9KQ4ZwLLHSC OQ+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=kuZkXiug9hdhkwtw393tPFCcAjWKu2EOVq4JY2WC3ag=; b=J3/0lZjvatEF+icUXIC0w6BBywnEph8L+kiozKkyyPYUOqONAQvD7U6KMMjUuibl9r kZidisI9HVJ2dWyftk2wDraDLZ7+DkRVuVUwgX0TiZ2Kyv6iSc1m+E1dbJvo+uOuICoy 9TxP7RRGETo7NNMXlsK7l6aJM0aEBqgZjI5GTDngfYG8A9Eqp8qp/WB4Zorft30ybRGB u+SwRYuK56sM8c3sBEUHXeReVRyB00EPSNNaFe9vfsal18n4HIQAHcsK4lmR2eJXnKDS 1t9f67891Vu99Ts3ndUOT1TcnVcE4dRP5doosvDnamcBPgr88zH3D3VgBp5wzh9z+KNO syoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s9si3946173ioa.96.2021.05.13.04.44.29; Thu, 13 May 2021 04:44:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231991AbhEMKtx (ORCPT + 99 others); Thu, 13 May 2021 06:49:53 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:59807 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231956AbhEMKtw (ORCPT ); Thu, 13 May 2021 06:49:52 -0400 Received: from mail-wm1-f72.google.com ([209.85.128.72]) by youngberry.canonical.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lh8tV-0002Lz-PL for linux-kernel@vger.kernel.org; Thu, 13 May 2021 10:48:41 +0000 Received: by mail-wm1-f72.google.com with SMTP id r10-20020a05600c2c4ab029014b601975e1so603576wmg.0 for ; Thu, 13 May 2021 03:48:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kuZkXiug9hdhkwtw393tPFCcAjWKu2EOVq4JY2WC3ag=; b=DJRCFgQ9zxZ4bKN20cG9dnZfkcOgve8bSGQcufFtf85s0RmA1e0nU7LDBg2MS1SXUd F7rhfmr0/fXU4tarnilyn50fwNGqYZHThw3T0vj0xkwbXv6YB2fqagd1J5bZHsoZgRNr wqge1fzx18W53fS3hHHovFLlzvwEVd2/Mo7mAz07ZAIierqocUN1g5XeVDiHvMFqwOpG 4h1+NQoqLAjRqEBvIhHRQx8WLWem9API4+zTz4I7TyKUoZzRyhvqx2c5Sk64gThD4+YZ KMh3qPTUkAfC/QgHG5KFYMkytGPA+a1ShJIklBukU4AmXfNhrHB9JBTOAfFRibRRVgPf 4nHw== X-Gm-Message-State: AOAM532rXkwF4vv1Iz91VsXWMZ+TmiE15r8oWnaNuGGIyOY4kQO4FOFS 3VqKnDj/iVj4v5cYfp9kjEP1N6kyMa5HL2eWI0avQvJ0VKD3cMBo9pezCsIPhQfMgG6Yae0Kbcy iRkJ28APNYiBr08q9yh+lSeRQREb78gTZT7DjF46mvQ== X-Received: by 2002:a1c:238d:: with SMTP id j135mr3205622wmj.170.1620902921222; Thu, 13 May 2021 03:48:41 -0700 (PDT) X-Received: by 2002:a1c:238d:: with SMTP id j135mr3205589wmj.170.1620902920975; Thu, 13 May 2021 03:48:40 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:8449:869d:10a:b1b9]) by smtp.gmail.com with ESMTPSA id k7sm2522973wro.8.2021.05.13.03.48.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 May 2021 03:48:40 -0700 (PDT) From: Dimitri John Ledkov To: linux-kernel@vger.kernel.org Cc: Dimitri John Ledkov , Andrew Morton , Kyungsik Lee , Yinghai Lu , Bongkyu Kim , Kees Cook , Sven Schmidt <4sschmid@informatik.uni-hamburg.de> Subject: [RESEND PATCH v1] lib/decompress_unlz4.c: correctly handle zero-padding around initrds. Date: Thu, 13 May 2021 11:48:31 +0100 Message-Id: <20210513104831.432975-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org lz4 compatible decompressor is simple. The format is underspecified and relies on EOF notification to determine when to stop. Initramfs buffer format[1] explicitly states that it can have arbitrary number of zero padding. Thus when operating without a fill function, be extra careful to ensure that sizes less than 4, or apperantly empty chunksizes are treated as EOF. To test this I have created two cpio initrds, first a normal one, main.cpio. And second one with just a single /test-file with content "second" second.cpio. Then i compressed both of them with gzip, and with lz4 -l. Then I created a padding of 4 bytes (dd if=/dev/zero of=pad4 bs=1 count=4). To create four testcase initrds: 1) main.cpio.gzip + extra.cpio.gzip = pad0.gzip 2) main.cpio.lz4 + extra.cpio.lz4 = pad0.lz4 3) main.cpio.gzip + pad4 + extra.cpio.gzip = pad4.gzip 4) main.cpio.lz4 + pad4 + extra.cpio.lz4 = pad4.lz4 The pad4 test-cases replicate the initrd load by grub, as it pads and aligns every initrd it loads. All of the above boot, however /test-file was not accessible in the initrd for the testcase #4, as decoding in lz4 decompressor failed. Also an error message printed which usually is harmless. Whith a patched kernel, all of the above testcases now pass, and /test-file is accessible. This fixes lz4 initrd decompress warning on every boot with grub. And more importantly this fixes inability to load multiple lz4 compressed initrds with grub. This patch has been shipping in Ubuntu kernels since January 2021. [1] ./Documentation/driver-api/early-userspace/buffer-format.rst BugLink: https://bugs.launchpad.net/bugs/1835660 Link: https://lore.kernel.org/lkml/20210114200256.196589-1-xnox@ubuntu.com/ # v0 Signed-off-by: Dimitri John Ledkov Cc: Andrew Morton Cc: Kyungsik Lee Cc: Yinghai Lu Cc: Bongkyu Kim Cc: Kees Cook Cc: Sven Schmidt <4sschmid@informatik.uni-hamburg.de> --- lib/decompress_unlz4.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/decompress_unlz4.c b/lib/decompress_unlz4.c index c0cfcfd486be..e6327391b6b6 100644 --- a/lib/decompress_unlz4.c +++ b/lib/decompress_unlz4.c @@ -112,6 +112,9 @@ STATIC inline int INIT unlz4(u8 *input, long in_len, error("data corrupted"); goto exit_2; } + } else if (size < 4) { + /* empty or end-of-file */ + goto exit_3; } chunksize = get_unaligned_le32(inp); @@ -125,6 +128,10 @@ STATIC inline int INIT unlz4(u8 *input, long in_len, continue; } + if (!fill && chunksize == 0) { + /* empty or end-of-file */ + goto exit_3; + } if (posp) *posp += 4; @@ -184,6 +191,7 @@ STATIC inline int INIT unlz4(u8 *input, long in_len, } } +exit_3: ret = 0; exit_2: if (!input) -- 2.27.0