| Message ID | tencent_8D66B23C9D36BA971637084BA27411767F09@qq.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | erofs: fix uninit-value in z_erofs_lz4_decompress | expand |
On 2023/12/29 19:09, Edward Adam Davis wrote: > When LZ4 decompression fails, the number of bytes read from out should be > inputsize plus the returned overflow value ret. > > Reported-and-tested-by: syzbot+6c746eea496f34b3161d@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > fs/erofs/decompressor.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c > index 021be5feb1bc..8ac3f96676c4 100644 > --- a/fs/erofs/decompressor.c > +++ b/fs/erofs/decompressor.c > @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx, > print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, > 16, 1, src + inputmargin, rq->inputsize, true); > print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, > - 16, 1, out, rq->outputsize, true); > + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? > + (ret + rq->inputsize) : rq->outputsize, true); It's incorrect since output decompressed buffer has no relationship with `rq->inputsize` and `ret + rq->inputsize` is meaningless too. Also, the issue was already fixed by avoiding debugging messages as https://lore.kernel.org/r/20231227151903.2900413-1-hsiangkao@linux.alibaba.com Thanks, Gao Xiang
On Sun, 31 Dec 2023 09:14:11 +0800, Gao Xiang wrote: > > When LZ4 decompression fails, the number of bytes read from out should be > > inputsize plus the returned overflow value ret. > > > > Reported-and-tested-by: syzbot+6c746eea496f34b3161d@syzkaller.appspotmail.com > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > --- > > fs/erofs/decompressor.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c > > index 021be5feb1bc..8ac3f96676c4 100644 > > --- a/fs/erofs/decompressor.c > > +++ b/fs/erofs/decompressor.c > > @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx, > > print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, > > 16, 1, src + inputmargin, rq->inputsize, true); > > print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, > > - 16, 1, out, rq->outputsize, true); > > + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? > > + (ret + rq->inputsize) : rq->outputsize, true); > > It's incorrect since output decompressed buffer has no relationship > with `rq->inputsize` and `ret + rq->inputsize` is meaningless too. In this case, the value of ret is -12. When LZ4_decompress_generic() fails, it will return "return (int) (- ((const char *) ip) - src) -1;" Therefore, it can be clearly stated that the decompression has been carried out to the 11 bytes of src, so reading the value of the first 11 bytes of out is effective. Therefore, my patch should be more accurate as follows: - 16, 1, out, rq->outputsize, true); + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? + (0 - ret) : rq->outputsize, true); > > Also, the issue was already fixed by avoiding debugging messages as > https://lore.kernel.org/r/20231227151903.2900413-1-hsiangkao@linux.alibaba.com This just deleted the output. BR, Edward
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 021be5feb1bc..8ac3f96676c4 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx, print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, 16, 1, src + inputmargin, rq->inputsize, true); print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, - 16, 1, out, rq->outputsize, true); + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? + (ret + rq->inputsize) : rq->outputsize, true); if (ret >= 0) memset(out + ret, 0, rq->outputsize - ret);
When LZ4 decompression fails, the number of bytes read from out should be inputsize plus the returned overflow value ret. Reported-and-tested-by: syzbot+6c746eea496f34b3161d@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- fs/erofs/decompressor.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)