linux-stable/lib
Guo Xuenan 467d5e200a lz4: fix LZ4_decompress_safe_partial read out of bound
commit eafc0a0239 upstream.

When partialDecoding, it is EOF if we've either filled the output buffer
or can't proceed with reading an offset for following match.

In some extreme corner cases when compressed data is suitably corrupted,
UAF will occur.  As reported by KASAN [1], LZ4_decompress_safe_partial
may lead to read out of bound problem during decoding.  lz4 upstream has
fixed it [2] and this issue has been disscussed here [3] before.

current decompression routine was ported from lz4 v1.8.3, bumping
lib/lz4 to v1.9.+ is certainly a huge work to be done later, so, we'd
better fix it first.

[1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/
[2] c5d6f8a8be#
[3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/

Link: https://lkml.kernel.org/r/20211111105048.2006070-1-guoxuenan@huawei.com
Reported-by: syzbot+63d688f1d899c588fb71@syzkaller.appspotmail.com
Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
Reviewed-by: Nick Terrell <terrelln@fb.com>
Acked-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Cc: Yann Collet <cyan@fb.com>
Cc: Chengyang Fan <cy.fan@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-13 19:27:35 +02:00
..
842
crypto lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI 2022-02-04 19:22:32 +01:00
dim
fonts
kunit kunit: make kunit_test_timeout compatible with comment 2022-04-08 13:57:41 +02:00
livepatch
lz4 lz4: fix LZ4_decompress_safe_partial read out of bound 2022-04-13 19:27:35 +02:00
lzo
math
mpi lib/mpi: Add the return value check of kcalloc() 2022-01-07 14:30:01 +11:00
pldmfw
raid6 lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 2022-04-08 13:58:38 +02:00
reed_solomon
test_fortify
vdso
xz
zlib_deflate
zlib_dfltcc
zlib_inflate
zstd lib: zstd: Don't add -O3 to cflags 2021-11-18 13:16:22 -08:00
.gitignore
argv_split.c
ashldi3.c
ashrdi3.c
asn1_decoder.c
asn1_encoder.c lib: remove redundant assignment to variable ret 2022-01-20 08:52:55 +02:00
assoc_array.c
atomic64.c locking/atomic: atomic64: Remove unusable atomic ops 2021-12-13 10:56:09 +01:00
atomic64_test.c
audit.c
bcd.c
bch.c
bitfield_kunit.c
bitmap.c
bitrev.c
bootconfig.c Merge branch 'akpm' (patches from Andrew) 2021-11-06 14:08:17 -07:00
bsearch.c
btree.c
bucket_locks.c
bug.c
build_OID_registry
buildid.c
bust_spinlocks.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c
cmdline_kunit.c
cmpdi2.c
compat_audit.c
cpu_rmap.c
cpumask.c memblock: use memblock_free for freeing virtual pointers 2021-11-06 13:30:41 -07:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc4.c
crc7.c
crc8.c
crc16.c
crc32.c
crc32defs.h
crc32test.c
crc64.c
ctype.c
debug_info.c
debug_locks.c
debugobjects.c
dec_and_lock.c
decompress.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlz4.c
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c
decompress_unzstd.c lib: zstd: Add decompress_sources.h for decompress_unzstd 2021-11-08 16:55:26 -08:00
devmem_is_allowed.c
devres.c
digsig.c
dump_stack.c
dynamic_debug.c
dynamic_queue_limits.c
earlycpio.c
errname.c
error-inject.c
errseq.c
extable.c
fault-inject-usercopy.c
fault-inject.c
fdt.c
fdt_addresses.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c lib: add find_first_and_bit() 2022-01-15 08:47:31 -08:00
find_bit_benchmark.c lib: add find_first_and_bit() 2022-01-15 08:47:31 -08:00
flex_proportions.c
gen_crc32table.c
gen_crc64table.c
genalloc.c all: replace find_next{,_zero}_bit with find_first{,_zero}_bit where appropriate 2022-01-15 08:47:31 -08:00
generic-radix-tree.c
glob.c
globtest.c
hexdump.c
hweight.c
idr.c
inflate.c
interval_tree.c
interval_tree_test.c
iomap.c
iomap_copy.c
iommu-helper.c
iov_iter.c lib/iov_iter: initialize "flags" in new pipe_buffer 2022-02-21 10:16:39 -05:00
irq_poll.c
irq_regs.c
is_single_threaded.c
kasprintf.c
Kconfig ARM further fixes for 5.17-rc: 2022-03-02 16:11:56 -08:00
Kconfig.debug lib/Kconfig.debug: add ARCH dependency for FUNCTION_ALIGN option 2022-04-13 19:27:22 +02:00
Kconfig.kasan lib/stackdepot: allow optional init and stack_table allocation by kvmalloc() 2022-01-22 08:33:37 +02:00
Kconfig.kcsan kcsan: Support WEAK_MEMORY with Clang where no objtool support exists 2021-12-09 16:42:28 -08:00
Kconfig.kfence kfence: default to dynamic branch instead of static keys mode 2021-11-06 13:30:43 -07:00
Kconfig.kgdb
Kconfig.ubsan ubsan: remove CONFIG_UBSAN_OBJECT_SIZE 2022-01-20 08:52:55 +02:00
kfifo.c
klist.c
kobject.c driver core: make kobj_type constant. 2021-12-27 10:40:00 +01:00
kobject_uevent.c kobject: remove kset from struct kset_uevent_ops callbacks 2021-12-28 11:26:18 +01:00
kstrtox.c kstrtox: uninline everything 2022-01-20 08:52:53 +02:00
kstrtox.h
libcrc32c.c
linear_ranges.c
list-test.c
list_debug.c lib/list_debug.c: print more list debugging context in __list_del_entry_valid() 2022-01-20 08:52:53 +02:00
list_sort.c
llist.c
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-rtmutex.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c lockdep/selftests: Adapt ww-tests for PREEMPT_RT 2021-12-04 10:56:24 +01:00
lockref.c
logic_iomem.c lib/logic_iomem: correct fallback config references 2022-04-13 19:27:06 +02:00
logic_pio.c
lru_cache.c
lshrdi3.c
Makefile Merge branch 'akpm' (patches from Andrew) 2022-01-20 10:41:01 +02:00
memcat_p.c
memcpy_kunit.c
memory-notifier-error-inject.c
memregion.c
memweight.c
muldi3.c
net_utils.c
netdev-notifier-error-inject.c
nlattr.c
nmi_backtrace.c printk: restore flushing of NMI buffers on remote CPUs after NMI backtraces 2021-11-10 16:12:00 +01:00
nodemask.c
notifier-error-inject.c
notifier-error-inject.h
objagg.c lib: objagg: Use the bitmap API when applicable 2021-12-24 14:54:29 -08:00
of-reconfig-notifier-error-inject.c
oid_registry.c
once.c
packing.c
parman.c
parser.c
pci_iomap.c
percpu-refcount.c
percpu_counter.c
percpu_test.c
plist.c
pm-notifier-error-inject.c
radix-tree.c
random32.c
ratelimit.c
rbtree.c
rbtree_test.c
ref_tracker.c ref_tracker: implement use-after-free detection 2022-04-13 19:27:12 +02:00
refcount.c
rhashtable.c
sbitmap.c blk-mq: Fix wrong wakeup batch configuration which will cause hang 2022-01-27 10:15:32 -07:00
scatterlist.c mm/scatterlist: replace the !preemptible warning in sg_miter_stop() 2021-11-09 10:02:50 -08:00
seq_buf.c
sg_pool.c
sg_split.c
sha1.c lib/crypto: sha1: re-roll loops to reduce code size 2022-01-18 13:03:55 +01:00
show_mem.c
siphash.c siphash: use _unaligned version by default 2021-11-29 19:50:50 -08:00
slub_kunit.c
smp_processor_id.c
sort.c
stackdepot.c lib/stackdepot: always do filter_irq_stacks() in stack_depot_save() 2022-01-22 08:33:38 +02:00
stmp_device.c
string.c
string_helpers.c lib/string_helpers: Introduce managed variant of kasprintf_strarray() 2021-11-18 18:40:08 +02:00
strncpy_from_user.c
strnlen_user.c
syscall.c
test-kstrtox.c
test-string_helpers.c
test_bitmap.c lib: bitmap: add performance test for bitmap_print_to_pagebuf 2022-01-15 08:47:31 -08:00
test_bitops.c
test_bits.c
test_blackhole_dev.c
test_bpf.c bpf: Change value of MAX_TAIL_CALL_CNT from 32 to 33 2021-11-16 14:03:15 +01:00
test_debug_virtual.c
test_firmware.c
test_fpu.c
test_free_pages.c
test_hash.c test_hash.c: refactor into kunit 2022-01-20 08:52:54 +02:00
test_hexdump.c
test_hmm.c mm/hmm.c: allow VM_MIXEDMAP to work with hmm_range_fault 2022-01-15 16:30:31 +02:00
test_hmm_uapi.h
test_ida.c
test_kasan.c kasan: test: prevent cache merging in kmem_cache_double_destroy 2022-02-26 09:51:17 -08:00
test_kasan_module.c kasan: test: bypass __alloc_size checks 2021-11-06 13:30:33 -07:00
test_kmod.c lib/test: use after free in register_test_dev_kmod() 2022-04-08 13:58:35 +02:00
test_kprobes.c
test_linear_ranges.c
test_list_sort.c
test_lockup.c lib/test_lockup: fix kernel pointer check for separate address spaces 2022-04-08 13:58:44 +02:00
test_memcat_p.c
test_meminit.c lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test 2022-01-20 08:52:54 +02:00
test_min_heap.c
test_module.c
test_objagg.c
test_overflow.c
test_parman.c
test_printf.c
test_ref_tracker.c lib: add tests for reference tracker 2021-12-06 16:04:44 -08:00
test_rhashtable.c
test_scanf.c
test_siphash.c
test_sort.c
test_stackinit.c
test_static_key_base.c
test_static_keys.c
test_string.c
test_strscpy.c
test_sysctl.c test_sysctl: simplify subdirectory registration with register_sysctl() 2022-01-22 08:33:35 +02:00
test_ubsan.c ubsan: remove CONFIG_UBSAN_OBJECT_SIZE 2022-01-20 08:52:55 +02:00
test_user_copy.c
test_uuid.c
test_vmalloc.c lib/test_vmalloc.c: use swap() to make code cleaner 2021-11-06 13:30:37 -07:00
test_xarray.c XArray: Fix xas_create_range() when multi-order entry present 2022-04-08 13:58:54 +02:00
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
ubsan.c
ubsan.h
ucmpdi2.c
ucs2_string.c
usercopy.c
uuid.c
vsprintf.c vsprintf: Fix %pK with kptr_restrict == 0 2022-04-08 13:57:49 +02:00
win_minmax.c
xarray.c XArray: Update the LRU list in xas_split() 2022-04-08 13:58:54 +02:00
xxhash.c