Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp546436rdg; Thu, 12 Oct 2023 13:13:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGoqX79C00SuMDcXJQO1KF2qPwSrlmJt5/OpSWa8inlYFuWVHfw29HK1dFFBqypG1OPx+ma X-Received: by 2002:a05:6a00:1152:b0:68f:ecb9:5fde with SMTP id b18-20020a056a00115200b0068fecb95fdemr23390719pfm.34.1697141627052; Thu, 12 Oct 2023 13:13:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697141627; cv=none; d=google.com; s=arc-20160816; b=Q9Nv32plVjlc9GWJG0BeC3JWs3NfE2nK2u+H953PdItvqHZaUf3nJ8nTpM3l2vRw7t +8Iha2VpuYP1mLSOxj9K3EGspOKXGPtaGs+FUUA5xOpWOGVus3tODKR4ZOiLJiKOu8J0 zDqyTCw3TE3ft7X98vM42w+8cPUNtsiMHSUYly8YYbFHHfY8NswQc1caBZIKQXuLwN6K 1/vHZK4nbAwlvBJnVyhczKkeSf993hNFLAbltbpJLzZzQWqOLLwybZPYCCoA+E02/MMk s0Nb3odG8XnSzaMLl1yrtVqhZJHY5cInx/ACCT/2JEmxRf9QsrJysj9KTbckYzu1yQZe U1+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=wWha34q0YQUKT0DSdVeRBdS11wQENGBeefusmSYpbX0=; fh=8d9vN/4EzZNppdqR/z+OTDncsAQ9wck7yUjfwV8Cv5w=; b=ltfNwl6x56kxIRnHq0/SEC9zcm4hiiotOvEtxXZ/5sEim8j3SKwDXlV8m3V3LDHxc3 6PiHjYq/2cni6aoGDGiSO6huLGkQzhUJPrl87U57ywve4bymOlsgdBwGi63aZCPXY1eq YHGXlIj1Dqg3ZhE3AZDW6Ne1sRpeguDUb4p38ZDYRExe8kJSMEpkolCtzVlQ2aPrsdix 2C+xTvozRP9yrN9O3qWvK11il49mFCV44BCeDNu/0i0LjOr72U7jvuv4LsbHNqjm29Bj hfQyFtly1zsV4iBBy0n7y+DwQonjzUnNNwomVB2RimY5Zj64BK4fxrGeD4HOCP6UZlVg GNpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=aNamkpJM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id cg5-20020a056a00290500b00690f22edc20si15119010pfb.333.2023.10.12.13.13.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 13:13:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=aNamkpJM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 8D78881D55D0; Thu, 12 Oct 2023 13:13:44 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1442614AbjJLUNe (ORCPT + 99 others); Thu, 12 Oct 2023 16:13:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347383AbjJLUNd (ORCPT ); Thu, 12 Oct 2023 16:13:33 -0400 Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A9DABD7 for ; Thu, 12 Oct 2023 13:13:31 -0700 (PDT) Received: by mail-il1-x129.google.com with SMTP id e9e14a558f8ab-3574f99d236so5177625ab.2 for ; Thu, 12 Oct 2023 13:13:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1697141611; x=1697746411; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=wWha34q0YQUKT0DSdVeRBdS11wQENGBeefusmSYpbX0=; b=aNamkpJMNKwOjGNLHXsDgOLRFaNOq4Ng3wc3rklFRJ19J2R7CLU7MJyefdGBY8aVoU rhzPYb6t8CWwgrf1eb28fzRpKIy+wBwjUyMSpeGafzCJmwRZ1jkAYb5MfI46SC7htDQo Gc6UNvv0Et0d3AGtsY4JlIETM3y3xMnq4vxCI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697141611; x=1697746411; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wWha34q0YQUKT0DSdVeRBdS11wQENGBeefusmSYpbX0=; b=bb5KxVOU7aAbO+4VCaI8WpNwIyETe0LIlfTWGVuEtnp/UgQOfkrMTlibYJAuAPds55 sV7BjHWWTuqyCZcJ5kQ/FPEuUo6XG/1+z0D64jvso9GqeYZWlusU8mGwA4QS/NgcJGyw RhPYaFPMsvli92vIziM6d+6QEzTrgOLvccjq0RHFMxCWgRr0YA90pb6xRwzfISf2/uNS iELOBoZsYtG/Cc8BDElyHXZ+4bq0g08oOrgOM4d28uGlnUggvzUDL2vn7vxujOOBaFNv o09NMBJgxWXkJmGT7Pk0HT8tlz44Cdf3vqfe/CH3s4VTVyjaamnnnet9jbY/H5al0CR5 gJQg== X-Gm-Message-State: AOJu0YyxyMANUFwfS2n+IV2V73SnmrBiAClyD8gHtJdQ42LsuBvqaDIG WEuHotOHDhQgDlVB8khE+M0JLQ== X-Received: by 2002:a05:6e02:cad:b0:34f:b88d:b2cb with SMTP id 13-20020a056e020cad00b0034fb88db2cbmr23706804ilg.21.1697141611059; Thu, 12 Oct 2023 13:13:31 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id n14-20020a62e50e000000b0069319bfed42sm12089991pff.79.2023.10.12.13.13.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 13:13:30 -0700 (PDT) Date: Thu, 12 Oct 2023 13:13:19 -0700 From: Kees Cook To: Nick Terrell Cc: Eric Biggers , syzbot , Chris Mason , "dsterba@suse.com" , "josef@toxicpanda.com" , "linux-btrfs@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "syzkaller-bugs@googlegroups.com" , "linux-hardening@vger.kernel.org" Subject: Re: [syzbot] [zstd] UBSAN: array-index-out-of-bounds in FSE_decompress_wksp_body_bmi2 Message-ID: <202310121311.4B9DD96E51@keescook> References: <00000000000049964e06041f2cbf@google.com> <20231007210556.GA174883@sol.localdomain> <202310091025.4939AEBC9@keescook> <19E42116-8FE3-4C4B-8D26-E9B47B0B9AC5@meta.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <19E42116-8FE3-4C4B-8D26-E9B47B0B9AC5@meta.com> X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Thu, 12 Oct 2023 13:13:44 -0700 (PDT) On Thu, Oct 12, 2023 at 07:55:55PM +0000, Nick Terrell wrote: > > > On Oct 9, 2023, at 1:29 PM, Kees Cook wrote: > > > > !-------------------------------------------------------------------| > > This Message Is From an External Sender > > > > |-------------------------------------------------------------------! > > > > On Sat, Oct 07, 2023 at 02:05:56PM -0700, Eric Biggers wrote: > >> Hi Nick, > >> > >> On Wed, Aug 30, 2023 at 12:49:53AM -0700, syzbot wrote: > >>> UBSAN: array-index-out-of-bounds in lib/zstd/common/fse_decompress.c:345:30 > >>> index 33 is out of range for type 'FSE_DTable[1]' (aka 'unsigned int[1]') > >> > >> Zstandard needs to be converted to use C99 flex-arrays instead of length-1 > >> arrays. https://github.com/facebook/zstd/pull/3785 would fix this in upstream > >> Zstandard, though it doesn't work well with the fact that upstream Zstandard > >> supports C90. Not sure how you want to handle this. > > > > For the kernel, we just need: > > > > diff --git a/lib/zstd/common/fse_decompress.c b/lib/zstd/common/fse_decompress.c > > index a0d06095be83..b11e87fff261 100644 > > --- a/lib/zstd/common/fse_decompress.c > > +++ b/lib/zstd/common/fse_decompress.c > > @@ -312,7 +312,7 @@ size_t FSE_decompress_wksp(void* dst, size_t dstCapacity, const void* cSrc, size > > > > typedef struct { > > short ncount[FSE_MAX_SYMBOL_VALUE + 1]; > > - FSE_DTable dtable[1]; /* Dynamically sized */ > > + FSE_DTable dtable[]; /* Dynamically sized */ > > } FSE_DecompressWksp; > > Thanks Eric and Kees for the report and the fix! I am working on putting this > patch up now, just need to test the fix myself to ensure I can reproduce the > issue and the fix. > > In your opinion does this worth trying to get this patch into v6.6, or should it > wait for v6.7? For all these flex array conversions we're mostly on a "slow and steady" route, so there's no rush really. I think waiting for v6.7 is fine. If anyone ends up wanting to backport it, it should be pretty clean I imagine. Thanks for getting it all landed! :) -Kees -- Kees Cook