Ubuntu
lz4 package

lz4 SIGSEGV in LZ4_decompress_generic

Bug #1851499 reported by Michail
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lz4 (Ubuntu)
Fix Released
High
Unassigned
Xenial
Triaged
High
Unassigned
Bionic
Triaged
High
Unassigned
Disco
Won't Fix
High
Unassigned
Eoan
Fix Released
High
Unassigned
Focal
Fix Released
High
Unassigned

Bug Description

Affected packages:

https://packages.ubuntu.com/xenial/liblz4-1
https://packages.ubuntu.com/bionic/liblz4-1
https://packages.ubuntu.com/cosmic/liblz4-1
https://packages.ubuntu.com/disco/liblz4-1

Non-Affected packages:
https://packages.ubuntu.com/eoan/liblz4-1

Description:

I got SIGSEGV with lz4, when trying to read a corrupted stream
No null ptr check of source in LZ4_decompress_generic

Description of problem:

No null ptr check of source in LZ4_decompress_generic

(gdb) bt
#0 0x00007ffff74ede70 in LZ4_decompress_generic (source=0x0,
    dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., inputSize=1253,
outputSize=65536, endOnInput=1, partialDecoding=0, targetOutputSize=0,
dict=0,
    lowPrefix=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., dictStart=0x0,
dictSize=0) at lz4.c:1157
#1 LZ4_decompress_safe (source=0x0,
    dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., compressedSize=1253,
maxDecompressedSize=65536) at lz4.c:1290
#2 0x00007ffff7560631 in LZ4F_decompress_safe (source=0x0,
    dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., compressedSize=1253,
maxDecompressedSize=65536,
    dictStart=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., dictSize=0) at
lz4frame.c:957
#3 0x00007ffff755595b in LZ4F_decompress
(decompressionContext=0x61100000ff40, dstBuffer=0x7fffe8bdd82c,
dstSizePtr=0x7ffff0cf96e0, srcBuffer=0x62d000014400,
srcSizePtr=0x7ffff0cf96c0,
    decompressOptionsPtr=0x7ffff0cf8120) at lz4frame.c:1294

Version-Release number of selected component (if applicable):

In lz4 from HEAD bug was fixed
https://github.com/lz4/lz4/blob/master/lib/lz4.c#L1668

Julian Andres Klode (juliank)
tags: added: rls-ff-incoming
Changed in lz4 (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Michail (msaf1980) wrote :

Problem is more complex. When receive incomplete frame, decompression context need to be reset with LZ4F_resetDecompressionContext (added in lz4 1.8.0).

I add simple port

void LZ4F_resetDecompressionContext(LZ4F_dctx* dctx)
{
    dctx->dStage = dstage_getHeader;
    dctx->dict = NULL;
    dctx->dictSize = 0;
}

And with first patch problem was solved.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@Michail Do you have a full patch against e.g. disco sources / version?

Brian Murray (brian-murray)
tags: removed: rls-ff-incoming
Revision history for this message
Michail (msaf1980) wrote :

Patches for Ubuntu Bionic (and Debian Stretch)

Revision history for this message
Michail (msaf1980) wrote :

For Ubuntu Xenial last patches also work

Revision history for this message
Michail (msaf1980) wrote :

For Ubuntu Cosmic (lz4-1.8.2)

Revision history for this message
Michail (msaf1980) wrote :

For Ubuntu Disco (lz4-1.8.3)

Revision history for this message
Michail (msaf1980) wrote :

Ubuntu Focal and Debian Buster not affected - in lz4 1.9 all problems already fixed.

Revision history for this message
Michail (msaf1980) wrote :

Some correction - for Debian Buster patch needed

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "lz4-1.8.2-null-check-in-lz4-decompress.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Francis Ginther (fginther)
tags: added: id-5dc458085d71d510ddb98b36
Dimitri John Ledkov (xnox)
information type: Public → Public Security
Dimitri John Ledkov (xnox)
Changed in lz4 (Ubuntu Focal):
status: Triaged → Fix Released
Changed in lz4 (Ubuntu Eoan):
status: New → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The bug description mentions a corrupt stream. For the Stable Release Update we will need a test case to ensure that the bug is fixed. Could you help us out creating a test case with a corrupt stream? Thanks in advance.

Revision history for this message
Michail (msaf1980) wrote :

Hello. Bug was found when work on commpression in carbon-c-relay

https://github.com/msaf1980/carbon-c-relay/tree/fix_compress

For reproduce

$
git clone https://github.com/msaf1980/carbon-c-relay
cd carbon-c-relay
git checkout fix_compress

autoreconf -fi
./configure -with-lz4 --without-gzip --without-snappy --without-ssl
make clean
make -j 4 test

LZ4F_resetDecompressionContext is required for recovery lz4 decompression context after try to decompress imcomplete block in frame.

If you need see a segfault, comment call LZ4F_resetDecompressionContext(strm->hdl.lz4.lz) at dispatcher.c:381

Brian Murray (brian-murray)
Changed in lz4 (Ubuntu Disco):
status: New → Won't Fix
Brian Murray (brian-murray)
Changed in lz4 (Ubuntu Xenial):
assignee: nobody → Brian Murray (brian-murray)
Changed in lz4 (Ubuntu Bionic):
assignee: nobody → Brian Murray (brian-murray)
Changed in lz4 (Ubuntu Xenial):
status: New → In Progress
Changed in lz4 (Ubuntu Bionic):
status: New → In Progress
Revision history for this message
Chris Halse Rogers (raof) wrote :

This patch looks like it adds a public symbol, but doesn't add it to liblz4-1.symbols? What mechanism does this have to ensure that code built against the new symbol gets a compatible version of liblz4-1?

Mathew Hodson (mhodson)
Changed in lz4 (Ubuntu Xenial):
importance: Undecided → High
Changed in lz4 (Ubuntu Bionic):
importance: Undecided → High
Changed in lz4 (Ubuntu Disco):
importance: Undecided → High
Changed in lz4 (Ubuntu Eoan):
importance: Undecided → High
Revision history for this message
Robie Basak (racb) wrote : Proposed package upload rejected

An upload of lz4 to xenial-proposed has been rejected from the upload queue for the following reason: "Possible missing symbols file entry; see comment 12".

Revision history for this message
Robie Basak (racb) wrote :

An upload of lz4 to bionic-proposed has been rejected from the upload queue for the following reason: "Possible missing symbols file entry; see comment 12".

Brian Murray (brian-murray)
Changed in lz4 (Ubuntu Xenial):
assignee: Brian Murray (brian-murray) → nobody
Changed in lz4 (Ubuntu Bionic):
assignee: Brian Murray (brian-murray) → nobody
Changed in lz4 (Ubuntu Xenial):
status: In Progress → Triaged
Changed in lz4 (Ubuntu Bionic):
status: In Progress → Triaged
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.