From http://seclists.org/oss-sec/2014/q2/666: CVE ID: CVE-2014-4608 Researcher Name: Don A. Bailey Researcher Organization: Lab Mouse Security Researcher Email: donb at securitymouse.com Researcher Website: www.securitymouse.com Vulnerability Status: Patched Vulnerability Embargo: Broken Vulnerability Class: Integer Overflow Vulnerability Effect: Memory Corruption Vulnerability Impact: DoS, OOW Vulnerability DoS Practicality: Practical Vulnerability OOW Practicality: Impractical Vulnerability Criticality: Moderate Vulnerability Scope: All versions of the Linux kernel (3x/2x) with LZO support (lib/lzo) that set the HAVE_EFFICIENT_UNALIGNED_ACCESS configuration option. Currently, this seems to include PowerPC and i386. ... Vulnerability Resolution ------------------------ To resolve this issue, the HAVE_OP and HAVE_IP macros should be enhanced to detect for integer overflow. This is the most reasonable and efficient location for catching corrupted or instrumented payloads. By testing for overflow here, an attacker is simply wasting time by forcing the function to process a large amount of zero bytes From http://seclists.org/oss-sec/2014/q2/669: Researcher Name: Don A. Bailey Researcher Organization: Lab Mouse Security Researcher Email: donb at securitymouse.com Researcher Website: www.securitymouse.com Vulnerability Status: Patched Vulnerability Embargo: Broken Vulnerability Class: Integer Overflow Vulnerability Effect: Memory Corruption Vulnerability Impact: DoS, RCE Vulnerability DoS Practicality: Practical Vulnerability RCE Practicality: Practical Vulnerability Criticality: High Vulnerability Scope: All versions of the Linux kernel (3x/2x) with LZ4 support (lib/lz4). Functions Affected: lib/lz4/lz4_decompress.c:lz4_uncompress Criticality Reasoning --------------------- Due to the design of the algorithm, an attacker can specify any desired offset to a write pointer. The attacker can instrument the write in such a way as to only write four bytes at a specified offset. Subsequent code will allow the attacker to escape from the decompression algorithm without further memory corruption. This may allow the attacker to overwrite critical structures in memory that affect flow of execution. Vulnerability Description ------------------------- An integer overflow can occur when processing any variant of a "literal run" in the lz4_uncompress function. Vulnerability Resolution ------------------------ The Linux kernel team has resolved this vulnerability.
As pointed out in http://seclists.org/oss-sec/2014/q2/682: I think it's worth pointing out that the Linux kernel only introduced LZ4 support in 3.11. This is why from the new kernel.org stable releases yesterday, only 3.14.9 and 3.15.2 contain the LZ4 patch. 3.10.45 and 3.4.95 don't.
Some further information is posted in http://seclists.org/oss-sec/2014/q3/9: For the record, -> http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html Summary: effectively, this post proves that - Exploits can be written against current implementations of LZ4 - Block sizes less than 8MB (and even less than 4MB) can be malicious - Certain platforms are more affected than others (primarily RISC: ARM) - Protecting against the 16MB and greater flaw was not sufficient
CVE-2014-4611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4611): Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715. CVE-2014-4608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4608): ** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype."
Fixes in 3.16, https://github.com/torvalds/linux/commit/206a81c18401c0cde6e579164f752c4b147324ce