Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3505203pxb; Mon, 4 Apr 2022 19:08:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJys04lUd2eMjGDyfXB/0gLJUqCt4QtJ4CQaLXiHIR7QwDS0821u+jWm2MybK1ARnIhunTm1 X-Received: by 2002:a17:90b:3ec5:b0:1c7:77ab:3854 with SMTP id rm5-20020a17090b3ec500b001c777ab3854mr1328073pjb.156.1649124488590; Mon, 04 Apr 2022 19:08:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649124488; cv=none; d=google.com; s=arc-20160816; b=zkXV+znYtaKE/XJRvtwwm5KE+/SI6Doamkw9ktIS61w6S10b7E1vtw6MfCB/HZmvwt ES38ZnIT9HmOq9nCohPCLnaB4A+mghxMoUykxTCo8ejzv7JdmTOXK91LqE93Zvqd/RBI Op/EotIAEdg3fONeOxI+SQLrb8R2viTWYiB971P8vaYQcUvjZrm+IDx2J1LbkmHMzZuo L5yw2mUW4Rk9LMIHl9F3EfgR4wcA5UOfAwShCrK8V8sHA6fDDEBg9C99Jw0Q+bBoLiAg KkyatL/NnhuZW6fZeVHcTGvKIT031wvaGKz1FBQa+xpaw7Gy5Tx6KTZpLsfH+hEt0OSg pyyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=a2q+lit9IPeMzv2dH/hBe01p5Ln2HqcWmNZRAKJeqCE=; b=lGMZ+b2sIjjsD1/QRY4iLdsTdw+rmliUlRGcGgmS0WBCNuYRZCuh3JUEirVb2KIboP Sgsj1h0OsEp46pqxiBe+48+hxK6uuYPtB2KxtSPBuYmB99A42/TjnBsUEnfVPIhg/iNq EZNVzA0E4K6SLy1u6H5aq+LiUT93iJrXfqHH1JBAX3UltRGGw3fBnQaxLvTlaIa8exfu 1RdqDZ5zon31plST/o4Vd9RHyQ/s2EOPEGEXiMjNhMxOjLCnzta+1yduBMoUn5kej0Mh 5ZQVNYYeyV+ziQKOsBIelGmd8j9z7f8hoqjAhUb5vR883XOzGeguSTM6Va2q6a0M7ND8 Chdg== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id 5-20020a630b05000000b003816043f0bfsi10838408pgl.692.2022.04.04.19.08.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 19:08:08 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A2B584ECD9; Mon, 4 Apr 2022 17:30:35 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237728AbiDBE5k (ORCPT + 99 others); Sat, 2 Apr 2022 00:57:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231346AbiDBE5h (ORCPT ); Sat, 2 Apr 2022 00:57:37 -0400 Received: from out30-131.freemail.mail.aliyun.com (out30-131.freemail.mail.aliyun.com [115.124.30.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14C6E12E155 for ; Fri, 1 Apr 2022 21:55:44 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R171e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04394;MF=hsiangkao@linux.alibaba.com;NM=1;PH=DS;RN=9;SR=0;TI=SMTPD_---0V8y5wgT_1648875340; Received: from B-P7TQMD6M-0146.local(mailfrom:hsiangkao@linux.alibaba.com fp:SMTPD_---0V8y5wgT_1648875340) by smtp.aliyun-inc.com(127.0.0.1); Sat, 02 Apr 2022 12:55:42 +0800 Date: Sat, 2 Apr 2022 12:55:39 +0800 From: Gao Xiang To: Andrew Morton Cc: Nick Terrell , Guo Xuenan , Chengyang Fan , Yann Collet , "fangwei1@huawei.com" , "linux-kernel@vger.kernel.org" , "syzbot+63d688f1d899c588fb71@syzkaller.appspotmail.com" , "wangli74@huawei.com" Subject: Re: [PATCH v3] lz4: fix LZ4_decompress_safe_partial read out of bound Message-ID: References: <20211111085058.1940591-1-guoxuenan@huawei.com> <20211111105048.2006070-1-guoxuenan@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 19, 2021 at 06:23:24PM +0000, Nick Terrell wrote: > > > > On Nov 11, 2021, at 2:50 AM, Guo Xuenan wrote: > > > > When partialDecoding, it is EOF if we've either, filled the output > > buffer or can't proceed with reading an offset for following match. > > > > In some extreme corner cases when compressed data is crusted corrupted, > > UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial > > may lead to read out of bound problem during decoding. lz4 upstream has > > fixed it [2] and this issue has been disscussed here [3] before. > > > > current decompression routine was ported from lz4 v1.8.3, bumping lib/lz4 > > to v1.9.+ is certainly a huge work to be done later, so, we'd better fix > > it first. > > > > [1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/ > > [2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad# > > [3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/ > > > > Reported-by: syzbot+63d688f1d899c588fb71@syzkaller.appspotmail.com > > Cc: hsiangkao@linux.alibaba.com > > Cc: terrelln@fb.com > > Cc: cyan@fb.com > > Cc: cy.fan@huawei.com > > Signed-off-by: Guo Xuenan > > Sorry I’m a bit late to the party, but this looks good to me! > > Reviewed-by: Nick Terrell Acked-by: Gao Xiang Hi Andrew, This patch has already been pending for 2 release cycles.. Would you mind submitting it upstream? Or are there other concerns about this? Many thanks! Gao Xiang