New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix potential memory corruption with negative memmove() size #972
Conversation
According to https://bugzilla.redhat.com/show_bug.cgi?id=1954559 this issue has CVE-2021-3520 assigned. |
Thanks @jasperla , |
Any idea when a new version with this fix will be released? |
See https://nvd.nist.gov/vuln/detail/CVE-2021-3520 for more details This is the upstream patch by Jasper Lievisse Adriaanse. "Fix potential memory corruption with negative memmove() size" lz4/lz4#972
* [lz4] Patch for CVE-2021-3520 See https://nvd.nist.gov/vuln/detail/CVE-2021-3520 for more details This is the upstream patch by Jasper Lievisse Adriaanse. "Fix potential memory corruption with negative memmove() size" lz4/lz4#972 * Added license to lz4/vcpkg.json
Upgrade to `lz4-sys 1.9.4` to fix security vulnerability detected by cargo deny check: ``` error[A001]: Memory corruption in liblz4 ┌─ /github/workspace/Cargo.lock:98:1 │ 98 │ lz4-sys 1.9.3 registry+https://github.com/rust-lang/crates.io-index │ ------------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2022-0051 = Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0051 = lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to [CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520). Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write. The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4. = Announcement: lz4/lz4#972 = Solution: Upgrade to >=1.9.4 ``` Signed-off-by: Yan Song <imeoer@linux.alibaba.com>
Upgrade to `lz4-sys 1.9.4` to fix security vulnerability detected by cargo deny check: ``` error[A001]: Memory corruption in liblz4 ┌─ /github/workspace/Cargo.lock:98:1 │ 98 │ lz4-sys 1.9.3 registry+https://github.com/rust-lang/crates.io-index │ ------------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2022-0051 = Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0051 = lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to [CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520). Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write. The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4. = Announcement: lz4/lz4#972 = Solution: Upgrade to >=1.9.4 ``` Signed-off-by: Yan Song <imeoer@linux.alibaba.com>
Upgrade to `lz4-sys 1.9.4` to fix security vulnerability detected by `cargo deny check`: ``` error[A001]: Memory corruption in liblz4 ┌─ /github/workspace/Cargo.lock:98:1 │ 98 │ lz4-sys 1.9.3 registry+https://github.com/rust-lang/crates.io-index │ ------------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2022-0051 = Advisory: https://rustsec.org/advisories/RUSTSEC-2022-0051 = lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to [CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520). Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write. The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4. = Announcement: lz4/lz4#972 = Solution: Upgrade to >=1.9.4 ``` Signed-off-by: Yan Song <imeoer@linux.alibaba.com>
Worth mentioning here, since this PR is referenced elsewhere : These sizes are incompatible with the reference Consequently, the Obviously, in this case, the problem is aggravated because the size is converted into an How to behave in presence of such a user-side bug can be discussed, and in this PR, it's suggested to extend the interface contract of the decompression function, so that it returns an error code when it detects a negative size (i.e. it now has a defined behavior for this scenario). However, this won't help if the |
I noticed a crash with
lz4jsoncat
when using this script to craft a payload:If the decompressed size is big enough, e.g.
0xff000000
-0xffffffff
it will lead to a crash in liblz4:The crash is due mishandling of the provided size of the decompressed contents in
LZ4_decompress_generic()
.With a size set in the payload as
0xffffffff
,dstSize
became-1
and eventually gets passed tomemmove()
:lz4/lib/lz4.c
Line 2038 in 909aae8
The original crash as observed from GDB:
When liblz4 is built with
-DLZ4_DEBUG=N
where N > 0, an assert is triggered instead:lz4/lib/lz4.c
Line 2020 in 909aae8
The result is an abort of the application without making it to
memmove()
. The default configuration is withLZ4_DEBUG
undefined (i.e. the assert is not hit).The crasher was originally produced by AFL on Kali Linux and libz4+lz4jsoncat from git. This PR provides a simple check upfront to ensure no obviously invalid sizes are handled.