Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 515232 (CVE-2014-4608) - Kernel: Multiple vulnerabilities in LZO/LZ4 (CVE-2014-{4608,4611})
Summary: Kernel: Multiple vulnerabilities in LZO/LZ4 (CVE-2014-{4608,4611})
Status: CONFIRMED
Alias: CVE-2014-4608
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: http://seclists.org/oss-sec/2014/q2/666
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-26 20:38 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-12-07 04:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-26 20:38:16 UTC
From http://seclists.org/oss-sec/2014/q2/666:
CVE ID: CVE-2014-4608

Researcher Name: Don A. Bailey
Researcher Organization: Lab Mouse Security
Researcher Email: donb at securitymouse.com
Researcher Website: www.securitymouse.com

Vulnerability Status: Patched
Vulnerability Embargo: Broken

Vulnerability Class: Integer Overflow
Vulnerability Effect: Memory Corruption
Vulnerability Impact: DoS, OOW
Vulnerability DoS Practicality: Practical
Vulnerability OOW Practicality: Impractical
Vulnerability Criticality: Moderate

Vulnerability Scope:
All versions of the Linux kernel (3x/2x) with LZO support (lib/lzo) that
set the HAVE_EFFICIENT_UNALIGNED_ACCESS configuration option. Currently,
this seems to include PowerPC and i386.


...
Vulnerability Resolution
------------------------
To resolve this issue, the HAVE_OP and HAVE_IP macros should be enhanced to
detect for integer overflow. This is the most reasonable and efficient
location for catching corrupted or instrumented payloads. By testing for
overflow here, an attacker is simply wasting time by forcing the function
to process a large amount of zero bytes


From http://seclists.org/oss-sec/2014/q2/669: 
Researcher Name: Don A. Bailey
Researcher Organization: Lab Mouse Security
Researcher Email: donb at securitymouse.com
Researcher Website: www.securitymouse.com

Vulnerability Status: Patched
Vulnerability Embargo: Broken

Vulnerability Class: Integer Overflow
Vulnerability Effect: Memory Corruption
Vulnerability Impact: DoS, RCE
Vulnerability DoS Practicality: Practical
Vulnerability RCE Practicality: Practical
Vulnerability Criticality: High

Vulnerability Scope:
All versions of the Linux kernel (3x/2x) with LZ4 support (lib/lz4).

Functions Affected:
        lib/lz4/lz4_decompress.c:lz4_uncompress

Criticality Reasoning
---------------------
Due to the design of the algorithm, an attacker can specify any desired
offset to a write pointer. The attacker can instrument the write in such
a way as to only write four bytes at a specified offset. Subsequent code
will allow the attacker to escape from the decompression algorithm without
further memory corruption. This may allow the attacker to overwrite
critical structures in memory that affect flow of execution.

Vulnerability Description
-------------------------
An integer overflow can occur when processing any variant of a "literal run"
in the lz4_uncompress function.

Vulnerability Resolution
------------------------
The Linux kernel team has resolved this vulnerability.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-27 07:49:15 UTC
As pointed out in http://seclists.org/oss-sec/2014/q2/682:

I think it's worth pointing out that the Linux kernel only introduced LZ4 support in 3.11. This is why from the new kernel.org stable releases yesterday, only 3.14.9 and 3.15.2 contain the LZ4 patch. 3.10.45 and 3.4.95 don't.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-02 19:06:39 UTC
Some further information is posted in http://seclists.org/oss-sec/2014/q3/9: 

For the record,
  -> http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html

Summary: effectively, this post proves that

  - Exploits can be written against current implementations of LZ4
  - Block sizes less than 8MB (and even less than 4MB) can be malicious
  - Certain platforms are more affected than others (primarily RISC: ARM)
  - Protecting against the 16MB and greater flaw was not sufficient
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:31:25 UTC
CVE-2014-4611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4611):
  Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet
  LZ4 before r118 and in the lz4_uncompress function in
  lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit
  platforms might allow context-dependent attackers to cause a denial of
  service (memory corruption) or possibly have unspecified other impact via a
  crafted Literal Run that would be improperly handled by programs not
  complying with an API limitation, a different vulnerability than
  CVE-2014-4715.

CVE-2014-4608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4608):
  ** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe
  function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the
  Linux kernel before 3.15.2 allow context-dependent attackers to cause a
  denial of service (memory corruption) via a crafted Literal Run.  NOTE: the
  author of the LZO algorithms says "the Linux kernel is *not* affected; media
  hype."