diff options
author | Alex Rebert <alexandre.rebert@gmail.com> | 2020-02-29 17:36:08 -0500 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2020-03-02 15:03:03 +0000 |
commit | 70282aece0dd33f54ee797486f9d7d03aa8c2346 (patch) | |
tree | 8c6dbbc5462ff98f1bfca104396efe642cbbbbf7 | |
parent | e5e24107f91a959e24546d0cdad84eecee329f8e (diff) |
lz4: Fix out-of-bounds reads
Fix two out-of-bounds reads in lz4 decompression:
1) LZ4_decompress_generic could read one byte past the input buffer when
decoding variable length literals due to a missing bounds check. This
issue was resolved in libpayload, commonlib and cbfstool
2) ulz4fn could read up to 4 bytes past the input buffer when reading a
lz4_block_header due to a missing bounds check. This issue was resolved
in libpayload and commonlib.
Change-Id: I5afdf7e1d43ecdb06c7b288be46813c1017569fc
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39174
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
-rw-r--r-- | payloads/libpayload/liblz4/lz4.c.inc | 1 | ||||
-rw-r--r-- | payloads/libpayload/liblz4/lz4_wrapper.c | 3 | ||||
-rw-r--r-- | src/commonlib/bsd/lz4.c.inc | 1 | ||||
-rw-r--r-- | src/commonlib/bsd/lz4_wrapper.c | 3 | ||||
-rw-r--r-- | util/cbfstool/lz4/lib/lz4.c | 1 |
5 files changed, 9 insertions, 0 deletions
diff --git a/payloads/libpayload/liblz4/lz4.c.inc b/payloads/libpayload/liblz4/lz4.c.inc index baa911021d..68fac47c89 100644 --- a/payloads/libpayload/liblz4/lz4.c.inc +++ b/payloads/libpayload/liblz4/lz4.c.inc @@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic( if ((length=(token>>ML_BITS)) == RUN_MASK) { unsigned s; + if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */ do { s = *ip++; diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c index d125ce336f..3d17fe6742 100644 --- a/payloads/libpayload/liblz4/lz4_wrapper.c +++ b/payloads/libpayload/liblz4/lz4_wrapper.c @@ -141,6 +141,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn) } while (1) { + if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn) + break; /* input overrun */ + struct lz4_block_header b = { .raw = le32toh(*(uint32_t *)in) }; in += sizeof(struct lz4_block_header); diff --git a/src/commonlib/bsd/lz4.c.inc b/src/commonlib/bsd/lz4.c.inc index b3be4e5b44..8c75e2f279 100644 --- a/src/commonlib/bsd/lz4.c.inc +++ b/src/commonlib/bsd/lz4.c.inc @@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic( if ((length=(token>>ML_BITS)) == RUN_MASK) { unsigned s; + if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */ do { s = *ip++; diff --git a/src/commonlib/bsd/lz4_wrapper.c b/src/commonlib/bsd/lz4_wrapper.c index 2367afceaf..3822e8c60f 100644 --- a/src/commonlib/bsd/lz4_wrapper.c +++ b/src/commonlib/bsd/lz4_wrapper.c @@ -129,6 +129,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn) } while (1) { + if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn) + break; /* input overrun */ + struct lz4_block_header b = { { .raw = le32toh(*(const uint32_t *)in) } }; diff --git a/util/cbfstool/lz4/lib/lz4.c b/util/cbfstool/lz4/lib/lz4.c index 9c9a9a0d00..e393690203 100644 --- a/util/cbfstool/lz4/lib/lz4.c +++ b/util/cbfstool/lz4/lib/lz4.c @@ -1206,6 +1206,7 @@ FORCE_INLINE int LZ4_decompress_generic( if ((length=(token>>ML_BITS)) == RUN_MASK) { unsigned s; + if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */ do { s = *ip++; |