Message ID | tencent_8D66B23C9D36BA971637084BA27411767F09@qq.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-13055-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:6f82:b0:100:9c79:88ff with SMTP id tb2csp2503133dyb; Fri, 29 Dec 2023 03:15:13 -0800 (PST) X-Google-Smtp-Source: AGHT+IHJqQt1Oc3P6ah7Re6GPRsaFPS0B7YeJSPbDJCJjQHQebp2Jai+gmSjJQBd91mcge7LcENZ X-Received: by 2002:a62:63c5:0:b0:6d9:8bc3:c45b with SMTP id x188-20020a6263c5000000b006d98bc3c45bmr5313132pfb.5.1703848513154; Fri, 29 Dec 2023 03:15:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703848513; cv=none; d=google.com; s=arc-20160816; b=r14pKhlrjfU9837w5N+TxF9XE1PXyGP9HS2rhbVHBVZr8o/l4+t9IaiRuouoJhc3XL 810F1vgk+rUN0eUrbhzsS1kkntqY2sXBP0y8tME3nzt7TsL/UQz+3NhlJL2+QLpmKlku Z5SasnLklNpkUKWJKlSt50OMjRpIHnTeQpTfOts+dGdCCUaw+gKQb54VsLoZWjf/IpKf sqFU/p8upQP+keuvk8Aqwa0wFyt9zqkrUUac/qWH7iFyUyz/eaLzO4jaJHPnmMfpsxE0 gQ/y8oFOsaiyN1ANmprQBhFd04zeyTfb2y1fqdJjdm06Cmzm+wMknXxo+Pe26zPuN15j NfMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=IWLItomP6GEXQZbCwu1A31BjXLnz2T16xYfN+yaLlRY=; fh=NDN2OiwC5ceJNzHYVgK2GZVGfeTMIE0XgjMS9H27Pro=; b=B1ebLDz/cvo2KOoy1P49q886UOZYkIJgfj5LfkJOzr5zfNjVS//68+qnx+ferS2ydU fTn4TIiNk8ii2Yeso/fA8ugFH6Dlls46Z2Ir3qBzC3Vn3Bb9aQro4xZV4wxaVLpC3EHW h2deoDV5TwseECUvXgqp6q6Zo3rqzWUHo7FOVT25MT4CHTpLoQcO3fVoXfMWpnO7Vz+E Xnde88ey2MOjW5dL5vQjf+j6mpOWXnPMSZA13yKnwkeaIFGxOpto7Ym1hi8spk5Bxx7a H/lb5oj2aAFXVLDlpRKDjTwelHcZ7GAeQkbCBlZ5rkwmU9o795+1tK8X7JmVYZPcYLcA 70jg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=QJvn+Ikd; spf=pass (google.com: domain of linux-kernel+bounces-13055-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13055-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 127-20020a630185000000b005cdf9a34830si12096686pgb.588.2023.12.29.03.15.13 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Dec 2023 03:15:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-13055-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=QJvn+Ikd; spf=pass (google.com: domain of linux-kernel+bounces-13055-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13055-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0C3B728341C for <ouuuleilei@gmail.com>; Fri, 29 Dec 2023 11:15:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1CB8A111A8; Fri, 29 Dec 2023 11:14:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="QJvn+Ikd" X-Original-To: linux-kernel@vger.kernel.org Received: from out203-205-251-60.mail.qq.com (out203-205-251-60.mail.qq.com [203.205.251.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 199D410A1B; Fri, 29 Dec 2023 11:14:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1703848181; bh=IWLItomP6GEXQZbCwu1A31BjXLnz2T16xYfN+yaLlRY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=QJvn+IkdOAsfSxK8m39N+yRtFLYxVqIHzWBqyj6n14fVL+q4JAUW7PmiUnfShmzUA jR6C+I2qw6yQgKK+dtmmugRUcM6uY8l9ITgBXpNF1dGRPmqX3DPNzvbe0pZufsJDOo z9P/GizC5IL0BN5PcGyTFWBAgl9FhUvHWaoKo8Dc= Received: from pek-lxu-l1.wrs.com ([111.198.225.215]) by newxmesmtplogicsvrsza7-0.qq.com (NewEsmtp) with SMTP id 266AE21D; Fri, 29 Dec 2023 19:09:38 +0800 X-QQ-mid: xmsmtpt1703848178tler3y48n Message-ID: <tencent_8D66B23C9D36BA971637084BA27411767F09@qq.com> X-QQ-XMAILINFO: OKKHiI6c9SH39IW5HizR2sWu+zJcP3A71yxExmFmhU/mUvv0aGo++xNpfn7PSz H0JdlsXhnCdg4V1KzL6pRBg7xd7kL7/AxPr1KYTqzA65gJjwcp+tczR3xCtMYStXSX3M6BJ2UELk ynGqHqPXvkUTwWRwVRvGCphwYqBF8vS7dxaXTFrWJfBPS1DQleBFYVI4W4d8A5qH0mPpjKWbeLdr KSc0J/wSRsNEsrTvJWwz9gjGf1OaSUdv0EQabUK/7QhqKtelMwrvcMdFAzeap9f+jcAb9aVem2Xg WhpCpM/wV0wqhnbTOvInTkUOTJhMCCriMCiCji08CIYg/NCEGMZsRG+B2U7VmaydfSJJqbMubUFB XabmIqXi9BDpce7JuVMoWLdxY6PXkI2IzM5zRAAYusI5oXBWsFtCSzoSiOe6AHJ9SbKI4IgBwjWw F1ZlT8HEoHgmW4HqKeJvUVl9daW1wtoi9A8f9clR16R/cmJWPri1Uca+sVVNBU984s/WO8eB8Gib BLyOgKANBQYIbdIAZmxstFzHe6tzUk2hLFjFqVMLqn7A8/3vIlURrul+l5OWrtISAopif4YJywDP sLUiVXxo9SmyzNe2xjAZjUq5HgVBuXotNdWD9Wqp5MgERLGNzoiFz/bONnKhRDyKbH5vchdqaRev vSxDA2LOvEeyg60sHMUb8CLw2ppZz24JvqRA9lmqNn0au+F1jww4WqFVaNp+z64U/l0Hqir6f/W7 vzM875o4UWzFBa0TvL1EA9G8vjSXW5E1pxw8kL7Gv69VtZ676B21KzFvs+TSmwHHMLTj9JUkpVkN 2Xm6EW/hC0usa1YPs5bnJomcYOmm1CD5VU49SkphNlysdKDlYTA7IVr3jKylTFHO/5DEHVVK2ZlR SM1w98xfLlAmrpSaR3gBHsOb/WG5wbE+R6vRMqqXntmII7wXQuxErQTqIft4eaAg== X-QQ-XMRINFO: Mp0Kj//9VHAxr69bL5MkOOs= From: Edward Adam Davis <eadavis@qq.com> To: syzbot+6c746eea496f34b3161d@syzkaller.appspotmail.com Cc: chao@kernel.org, huyue2@coolpad.com, jefflexu@linux.alibaba.com, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, xiang@kernel.org Subject: [PATCH] erofs: fix uninit-value in z_erofs_lz4_decompress Date: Fri, 29 Dec 2023 19:09:39 +0800 X-OQ-MSGID: <20231229110938.1157837-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <000000000000321c24060d7cfa1c@google.com> References: <000000000000321c24060d7cfa1c@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1786614658663713767 X-GMAIL-MSGID: 1786614658663713767 |
Series |
erofs: fix uninit-value in z_erofs_lz4_decompress
|
|
Commit Message
Edward Adam Davis
Dec. 29, 2023, 11:09 a.m. UTC
When LZ4 decompression fails, the number of bytes read from out should be
inputsize plus the returned overflow value ret.
Reported-and-tested-by: syzbot+6c746eea496f34b3161d@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
fs/erofs/decompressor.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
On 2023/12/29 19:09, Edward Adam Davis wrote: > When LZ4 decompression fails, the number of bytes read from out should be > inputsize plus the returned overflow value ret. > > Reported-and-tested-by: syzbot+6c746eea496f34b3161d@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > fs/erofs/decompressor.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c > index 021be5feb1bc..8ac3f96676c4 100644 > --- a/fs/erofs/decompressor.c > +++ b/fs/erofs/decompressor.c > @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx, > print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, > 16, 1, src + inputmargin, rq->inputsize, true); > print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, > - 16, 1, out, rq->outputsize, true); > + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? > + (ret + rq->inputsize) : rq->outputsize, true); It's incorrect since output decompressed buffer has no relationship with `rq->inputsize` and `ret + rq->inputsize` is meaningless too. Also, the issue was already fixed by avoiding debugging messages as https://lore.kernel.org/r/20231227151903.2900413-1-hsiangkao@linux.alibaba.com Thanks, Gao Xiang
On Sun, 31 Dec 2023 09:14:11 +0800, Gao Xiang wrote: > > When LZ4 decompression fails, the number of bytes read from out should be > > inputsize plus the returned overflow value ret. > > > > Reported-and-tested-by: syzbot+6c746eea496f34b3161d@syzkaller.appspotmail.com > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > --- > > fs/erofs/decompressor.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c > > index 021be5feb1bc..8ac3f96676c4 100644 > > --- a/fs/erofs/decompressor.c > > +++ b/fs/erofs/decompressor.c > > @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx, > > print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, > > 16, 1, src + inputmargin, rq->inputsize, true); > > print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, > > - 16, 1, out, rq->outputsize, true); > > + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? > > + (ret + rq->inputsize) : rq->outputsize, true); > > It's incorrect since output decompressed buffer has no relationship > with `rq->inputsize` and `ret + rq->inputsize` is meaningless too. In this case, the value of ret is -12. When LZ4_decompress_generic() fails, it will return "return (int) (- ((const char *) ip) - src) -1;" Therefore, it can be clearly stated that the decompression has been carried out to the 11 bytes of src, so reading the value of the first 11 bytes of out is effective. Therefore, my patch should be more accurate as follows: - 16, 1, out, rq->outputsize, true); + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? + (0 - ret) : rq->outputsize, true); > > Also, the issue was already fixed by avoiding debugging messages as > https://lore.kernel.org/r/20231227151903.2900413-1-hsiangkao@linux.alibaba.com This just deleted the output. BR, Edward
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 021be5feb1bc..8ac3f96676c4 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx, print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, 16, 1, src + inputmargin, rq->inputsize, true); print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, - 16, 1, out, rq->outputsize, true); + 16, 1, out, (ret < 0 && rq->inputsize > 0) ? + (ret + rq->inputsize) : rq->outputsize, true); if (ret >= 0) memset(out + ret, 0, rq->outputsize - ret);