lz4: Fix out-of-bounds reads

Fix two out-of-bounds reads in lz4 decompression: 1) LZ4_decompress_generic could read one byte past the input buffer when decoding variable length literals due to a missing bounds check. This issue was resolved in libpayload, commonlib and cbfstool 2) ulz4fn could read up to 4 bytes past the input buffer when reading a lz4_block_header due to a missing bounds check. This issue was resolved in libpayload and commonlib. Change-Id: I5afdf7e1d43ecdb06c7b288be46813c1017569fc Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com> Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39174 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2020-02-29 17:36:08 -05:00 · 2020-02-29 17:36:08 -05:00 · 70282aece0
parent e5e24107f9
commit 70282aece0
5 changed files with 9 additions and 0 deletions
--- a/payloads/libpayload/liblz4/lz4.c.inc
+++ b/payloads/libpayload/liblz4/lz4.c.inc
@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic(
        if ((length=(token>>ML_BITS)) == RUN_MASK)
        {
            unsigned s;
+            if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error;   /* overflow detection */
            do
            {
                s = *ip++;
--- a/payloads/libpayload/liblz4/lz4_wrapper.c
+++ b/payloads/libpayload/liblz4/lz4_wrapper.c
@ -141,6 +141,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
 	}

 	while (1) {
+		if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn)
+			break;          /* input overrun */
+
 		struct lz4_block_header b = { .raw = le32toh(*(uint32_t *)in) };
 		in += sizeof(struct lz4_block_header);

--- a/src/commonlib/bsd/lz4.c.inc
+++ b/src/commonlib/bsd/lz4.c.inc
@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic(
        if ((length=(token>>ML_BITS)) == RUN_MASK)
        {
            unsigned s;
+            if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error;   /* overflow detection */
            do
            {
                s = *ip++;
--- a/src/commonlib/bsd/lz4_wrapper.c
+++ b/src/commonlib/bsd/lz4_wrapper.c
@ -129,6 +129,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
 	}

 	while (1) {
+		if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn)
+			break;          /* input overrun */
+
 		struct lz4_block_header b = {
 			{ .raw = le32toh(*(const uint32_t *)in) }
 		};
--- a/util/cbfstool/lz4/lib/lz4.c
+++ b/util/cbfstool/lz4/lib/lz4.c
@ -1206,6 +1206,7 @@ FORCE_INLINE int LZ4_decompress_generic(
        if ((length=(token>>ML_BITS)) == RUN_MASK)
        {
            unsigned s;
+            if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error;   /* overflow detection */
            do
            {
                s = *ip++;