In the Linux kernel, the following vulnerability has been resolved:
erofs: fix lz4 inplace decompression
Currently EROFS can map another compressed buffer for inplace decompression, that was used to handle the cases that some pages of compressed data are actually not in-place I/O.
However, like most simple LZ77 algorithms, LZ4 expects the compressed data is arranged at the end of the decompressed buffer and it explicitly uses memmove() to handle overlapping:
|_ direction of decompression --> __ |_ compressed data _|
Although EROFS arranges compressed data like this, it typically maps two individual virtual buffers so the relative order is uncertain. Previously, it was hardly observed since LZ4 only uses memmove() for short overlapped literals and x86/arm64 memmove implementations seem to completely cover it up and they don't have this issue. Juhyung reported that EROFS data corruption can be found on a new Intel x86 processor. After some analysis, it seems that recent x86 processors with the new FSRM feature expose this issue with "rep movsb".
Let's strictly use the decompressed buffer for lz4 inplace decompression for now. Later, as an useful improvement, we could try to tie up these two buffers together in the correct order.
{ "vanir_signatures": [ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33bf23c9940dbd3a22aad7f0cda4c84ed5701847", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress_mem" }, "id": "CVE-2023-52497-054d3e2b", "digest": { "function_hash": "184397788005927907651708379389689404641", "length": 1609.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a0180e940cf1aefa7d516e20b259ad34f7a8b379", "signature_type": "Line", "target": { "file": "fs/erofs/decompressor.c" }, "id": "CVE-2023-52497-0d2f9432", "digest": { "threshold": 0.9, "line_hashes": [ "97889678713031639326446968400422374734", "191340378232420964502220880248734947700", "270879604561082201030900101649595214149", "149854620975359018879056930286467575129", "96524110038547349067993771449921439430", "151508542204420290739960495389430465738", "235926603550417195614162977029266588271", "85033260271877310538582101731545137276", "115329068914719218734676818137613783136", "268707111234824784663594430387089597262", "236982527392369124053175953738901416821", "290776115651446244276405629163076944188", "265510592728166908704293201050647976664", "335987093429295415230961375353259879968", "124425994222848355898586910609937377267", "259738217464750654154776477238724169132", "120678572803584663315761295734545398641", "110870913785620462176109798341486384660", "324511382294506994229587817791063891342", "19112731790129863154058374659182007430", "104058828204766377293934147403394858807", "59953451793645934761754248003842375506", "63045452502607398977057292627365129489", "85473036192329520501992563861251859295", "3944512847609020319603354735454167441", "117997386586028726498826333712863239917", "217020355189350204658984654680327485722", "98538323980164861482051270219120753783", "4575963088375797034772281707361267590", "234963055993133534702188593173720604965", "130952804980281693787796204140164986371", "323463077021806308336283758569917961014", "57754154864942788907979248769719453229", "196457503765896296387447949656555974767", "288264500153835806969024794337771199329", "219263993548542622200540479433026095034", "214755113681131755520150764813602431624", "8434803976642764907366622034027922878", "12513067529871364811089293975567037909" ] }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bffc4cc334c5bb31ded54bc3cfd651735a3cb79e", "signature_type": "Line", "target": { "file": "fs/erofs/decompressor.c" }, "id": "CVE-2023-52497-1b4869e0", "digest": { "threshold": 0.9, "line_hashes": [ "46143001570867118597342565217435780290", "61027392961539140274211627286680821873", "252522672569533754612764227309967591134", "97218634609728497492129176159660439181", "119033146643142223909266711548773439461", "322852733697330929790077710264527569319", "96586747769980987635458213594942577326", "159244429418022021926235980175665810050", "118682172982039636253777557065763735215", "223377296594274342404080632148846043383", "90486537256434766698355938939320705291", "183987508692513184289306028161441411984", "324617969578365682531201489176264009259", "293240068889965237416601856544553665485", "37785044053618802928801387976869950608", "181977288376706519046105475157953745425", "120400168764541116097983918641928283792", "285449932778981658861746051802962761977", "250490627953077049422391178973038953809", "245343477062863397796712913882640591927", "33197156497583476538432911511613832356", "57448338846068711699940086952919077486", "192742890472059621833019153156803694988", "134451658800410149066153453984452953226", "192009489421012040062892355309699282952", "272274872971240903385832958328351002071", "86091506060657205171528564040301157402", "224011403545333472989369289056470887829", "235469506797285633317953003742938415858", "152053051108324993122408327598976467657", "282516845514695885096608155202035941614", "61697358195324201733912822779870032400", "315297041365984082085898655431804401223", "254019420950139713385710258636146758860", "50447864898259423927285412834374107789", "168407165995961780757249420370360133663", "175559426053135683548882952460774728011", "277279815734402475730537959957416051989", "320541233923630346834154734956496733163", "202631272764675394680956391840058077493", "243061362058009448676973882299326377162", "238501888443216630621238060778489225052", "178079023027271959098311003806153213111", "19133696009838323328716784047670884193", "267647492356734506682515159457664855338" ] }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bffc4cc334c5bb31ded54bc3cfd651735a3cb79e", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress_mem" }, "id": "CVE-2023-52497-1d2e7242", "digest": { "function_hash": "172350805636835255673193693705758162735", "length": 1633.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ff2d260b25df6fe1341a79113d88fecf6bd553e", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_decompress_generic" }, "id": "CVE-2023-52497-25b72969", "digest": { "function_hash": "42212456096067471405740682135013491520", "length": 1236.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bffc4cc334c5bb31ded54bc3cfd651735a3cb79e", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress" }, "id": "CVE-2023-52497-3375ceeb", "digest": { "function_hash": "221104393450586277220447156734431198696", "length": 904.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c12466b6b7bf1e56f9b32c366a3d83d87afb4de", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_handle_overlap" }, "id": "CVE-2023-52497-34b1a15e", "digest": { "function_hash": "326872566328813616997055704806883683090", "length": 1369.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77cbc04a1a8610e303a0e0d74f2676667876a184", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_decompress_generic" }, "id": "CVE-2023-52497-4d046964", "digest": { "function_hash": "200197633826512653855709518729457168173", "length": 1169.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bffc4cc334c5bb31ded54bc3cfd651735a3cb79e", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_handle_overlap" }, "id": "CVE-2023-52497-4d511ff2", "digest": { "function_hash": "326872566328813616997055704806883683090", "length": 1369.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77cbc04a1a8610e303a0e0d74f2676667876a184", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_handle_inplace_io" }, "id": "CVE-2023-52497-5c7bd6ed", "digest": { "function_hash": "88793121452010586594875901265399222744", "length": 1414.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33bf23c9940dbd3a22aad7f0cda4c84ed5701847", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_handle_overlap" }, "id": "CVE-2023-52497-64d4b627", "digest": { "function_hash": "326872566328813616997055704806883683090", "length": 1369.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c12466b6b7bf1e56f9b32c366a3d83d87afb4de", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress" }, "id": "CVE-2023-52497-73d649e1", "digest": { "function_hash": "221104393450586277220447156734431198696", "length": 904.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f36d200a80a3ca025532ed60dd1ac21b620e14ae", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress" }, "id": "CVE-2023-52497-74eb92c4", "digest": { "function_hash": "221104393450586277220447156734431198696", "length": 904.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f36d200a80a3ca025532ed60dd1ac21b620e14ae", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_handle_overlap" }, "id": "CVE-2023-52497-77328467", "digest": { "function_hash": "326872566328813616997055704806883683090", "length": 1369.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a0180e940cf1aefa7d516e20b259ad34f7a8b379", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_decompress_generic" }, "id": "CVE-2023-52497-7e8f6d87", "digest": { "function_hash": "159340399844041043303524039485359799609", "length": 1222.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f36d200a80a3ca025532ed60dd1ac21b620e14ae", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress_mem" }, "id": "CVE-2023-52497-80481571", "digest": { "function_hash": "172350805636835255673193693705758162735", "length": 1633.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77cbc04a1a8610e303a0e0d74f2676667876a184", "signature_type": "Line", "target": { "file": "fs/erofs/decompressor.c" }, "id": "CVE-2023-52497-89e86e57", "digest": { "threshold": 0.9, "line_hashes": [ "238245808357260015356960494887163183511", "37812240420954250254115150154379044705", "17368174057668526712209790888146658430", "138986003772906239270089354384292028599", "59502580529917471131606385938564971411", "83203785225749345371687869715209102428", "35872796732844211419373844350055627822", "83773367676090718723377434438232625776", "14289211163261683292225788251514540035", "286374388084186029164242760241634697589", "180946036248628451724968105728985487823", "93794221497296436992393878812274724536", "267285769700631141940927340425166309020", "335700879582924790062226441245086387434", "37785044053618802928801387976869950608", "153963887042597844595681948988947668021", "292450487298310657496745159272902617565", "226835191760095029843006071027584580716", "86444249014698467767335926143751193952", "221896686862426055296709843362253649866", "218613691383770893993841299634122926630", "111362524562927405242162477585565336199", "29031161855579718840530651769273109552", "330174937600560113598131853764928063124", "41335666986779104612251824486200529225", "124193326537147960331373144247464622361", "199789472467221920351181119559828238967", "68633897250302263010578519851448146469", "299483402128321818715729540064923299022", "99964156582570830516658333106858826375", "235435780572064924356122758790058693549", "245247703389888075010467535444832238347", "117791535633069465680035500267487797127", "168407165995961780757249420370360133663", "175559426053135683548882952460774728011", "112135628222459167188531511282246424763", "320541233923630346834154734956496733163", "202631272764675394680956391840058077493", "243061362058009448676973882299326377162", "219263993548542622200540479433026095034", "214755113681131755520150764813602431624", "8434803976642764907366622034027922878", "12513067529871364811089293975567037909" ] }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a0180e940cf1aefa7d516e20b259ad34f7a8b379", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress" }, "id": "CVE-2023-52497-a250f7f1", "digest": { "function_hash": "127342208701577275180835976699825725509", "length": 1668.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ff2d260b25df6fe1341a79113d88fecf6bd553e", "signature_type": "Line", "target": { "file": "fs/erofs/decompressor.c" }, "id": "CVE-2023-52497-a2c552b0", "digest": { "threshold": 0.9, "line_hashes": [ "97889678713031639326446968400422374734", "191340378232420964502220880248734947700", "270879604561082201030900101649595214149", "149854620975359018879056930286467575129", "96524110038547349067993771449921439430", "151508542204420290739960495389430465738", "235926603550417195614162977029266588271", "85033260271877310538582101731545137276", "115329068914719218734676818137613783136", "268707111234824784663594430387089597262", "236982527392369124053175953738901416821", "290776115651446244276405629163076944188", "265510592728166908704293201050647976664", "335987093429295415230961375353259879968", "124425994222848355898586910609937377267", "259738217464750654154776477238724169132", "120678572803584663315761295734545398641", "110870913785620462176109798341486384660", "324511382294506994229587817791063891342", "19112731790129863154058374659182007430", "104058828204766377293934147403394858807", "59953451793645934761754248003842375506", "63045452502607398977057292627365129489", "85473036192329520501992563861251859295", "3944512847609020319603354735454167441", "117997386586028726498826333712863239917", "194015213470198363011072101248475152301", "98538323980164861482051270219120753783", "4575963088375797034772281707361267590", "234963055993133534702188593173720604965", "130952804980281693787796204140164986371", "323463077021806308336283758569917961014", "57754154864942788907979248769719453229", "196457503765896296387447949656555974767", "288264500153835806969024794337771199329", "219263993548542622200540479433026095034", "214755113681131755520150764813602431624", "8434803976642764907366622034027922878", "12513067529871364811089293975567037909" ] }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33bf23c9940dbd3a22aad7f0cda4c84ed5701847", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress" }, "id": "CVE-2023-52497-b64c67f7", "digest": { "function_hash": "221104393450586277220447156734431198696", "length": 904.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c12466b6b7bf1e56f9b32c366a3d83d87afb4de", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress_mem" }, "id": "CVE-2023-52497-ba4bba72", "digest": { "function_hash": "172350805636835255673193693705758162735", "length": 1633.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77cbc04a1a8610e303a0e0d74f2676667876a184", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress" }, "id": "CVE-2023-52497-bd6466b8", "digest": { "function_hash": "50513900871980161411072863637183472683", "length": 1506.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f36d200a80a3ca025532ed60dd1ac21b620e14ae", "signature_type": "Line", "target": { "file": "fs/erofs/decompressor.c" }, "id": "CVE-2023-52497-c3f5feab", "digest": { "threshold": 0.9, "line_hashes": [ "46143001570867118597342565217435780290", "61027392961539140274211627286680821873", "252522672569533754612764227309967591134", "97218634609728497492129176159660439181", "119033146643142223909266711548773439461", "322852733697330929790077710264527569319", "96586747769980987635458213594942577326", "159244429418022021926235980175665810050", "118682172982039636253777557065763735215", "223377296594274342404080632148846043383", "90486537256434766698355938939320705291", "183987508692513184289306028161441411984", "324617969578365682531201489176264009259", "293240068889965237416601856544553665485", "37785044053618802928801387976869950608", "181977288376706519046105475157953745425", "120400168764541116097983918641928283792", "285449932778981658861746051802962761977", "250490627953077049422391178973038953809", "245343477062863397796712913882640591927", "33197156497583476538432911511613832356", "57448338846068711699940086952919077486", "192742890472059621833019153156803694988", "134451658800410149066153453984452953226", "192009489421012040062892355309699282952", "272274872971240903385832958328351002071", "86091506060657205171528564040301157402", "224011403545333472989369289056470887829", "235469506797285633317953003742938415858", "152053051108324993122408327598976467657", "282516845514695885096608155202035941614", "61697358195324201733912822779870032400", "315297041365984082085898655431804401223", "254019420950139713385710258636146758860", "50447864898259423927285412834374107789", "168407165995961780757249420370360133663", "175559426053135683548882952460774728011", "277279815734402475730537959957416051989", "320541233923630346834154734956496733163", "202631272764675394680956391840058077493", "243061362058009448676973882299326377162", "238501888443216630621238060778489225052", "178079023027271959098311003806153213111", "19133696009838323328716784047670884193", "267647492356734506682515159457664855338" ] }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33bf23c9940dbd3a22aad7f0cda4c84ed5701847", "signature_type": "Line", "target": { "file": "fs/erofs/decompressor.c" }, "id": "CVE-2023-52497-dec8cc61", "digest": { "threshold": 0.9, "line_hashes": [ "46143001570867118597342565217435780290", "61027392961539140274211627286680821873", "252522672569533754612764227309967591134", "97218634609728497492129176159660439181", "119033146643142223909266711548773439461", "322852733697330929790077710264527569319", "96586747769980987635458213594942577326", "159244429418022021926235980175665810050", "118682172982039636253777557065763735215", "223377296594274342404080632148846043383", "90486537256434766698355938939320705291", "183987508692513184289306028161441411984", "324617969578365682531201489176264009259", "293240068889965237416601856544553665485", "37785044053618802928801387976869950608", "181977288376706519046105475157953745425", "120400168764541116097983918641928283792", "285449932778981658861746051802962761977", "250490627953077049422391178973038953809", "245343477062863397796712913882640591927", "33197156497583476538432911511613832356", "57448338846068711699940086952919077486", "192742890472059621833019153156803694988", "134451658800410149066153453984452953226", "192009489421012040062892355309699282952", "272274872971240903385832958328351002071", "86091506060657205171528564040301157402", "224011403545333472989369289056470887829", "235469506797285633317953003742938415858", "152053051108324993122408327598976467657", "316183206894826404447695542538797223625", "61697358195324201733912822779870032400", "315297041365984082085898655431804401223", "254019420950139713385710258636146758860", "50447864898259423927285412834374107789", "168407165995961780757249420370360133663", "175559426053135683548882952460774728011", "277279815734402475730537959957416051989", "320541233923630346834154734956496733163", "202631272764675394680956391840058077493", "243061362058009448676973882299326377162", "238501888443216630621238060778489225052", "178079023027271959098311003806153213111", "19133696009838323328716784047670884193", "267647492356734506682515159457664855338" ] }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ff2d260b25df6fe1341a79113d88fecf6bd553e", "signature_type": "Function", "target": { "file": "fs/erofs/decompressor.c", "function": "z_erofs_lz4_decompress" }, "id": "CVE-2023-52497-eeb0711c", "digest": { "function_hash": "180950076532530085669552168686295956516", "length": 1469.0 }, "deprecated": false, "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c12466b6b7bf1e56f9b32c366a3d83d87afb4de", "signature_type": "Line", "target": { "file": "fs/erofs/decompressor.c" }, "id": "CVE-2023-52497-f13792a8", "digest": { "threshold": 0.9, "line_hashes": [ "46143001570867118597342565217435780290", "61027392961539140274211627286680821873", "252522672569533754612764227309967591134", "97218634609728497492129176159660439181", "119033146643142223909266711548773439461", "322852733697330929790077710264527569319", "96586747769980987635458213594942577326", "159244429418022021926235980175665810050", "118682172982039636253777557065763735215", "223377296594274342404080632148846043383", "90486537256434766698355938939320705291", "183987508692513184289306028161441411984", "324617969578365682531201489176264009259", "293240068889965237416601856544553665485", "37785044053618802928801387976869950608", "181977288376706519046105475157953745425", "120400168764541116097983918641928283792", "285449932778981658861746051802962761977", "250490627953077049422391178973038953809", "245343477062863397796712913882640591927", "33197156497583476538432911511613832356", "57448338846068711699940086952919077486", "192742890472059621833019153156803694988", "134451658800410149066153453984452953226", "192009489421012040062892355309699282952", "272274872971240903385832958328351002071", "86091506060657205171528564040301157402", "224011403545333472989369289056470887829", "235469506797285633317953003742938415858", "152053051108324993122408327598976467657", "282516845514695885096608155202035941614", "61697358195324201733912822779870032400", "315297041365984082085898655431804401223", "254019420950139713385710258636146758860", "50447864898259423927285412834374107789", "168407165995961780757249420370360133663", "175559426053135683548882952460774728011", "277279815734402475730537959957416051989", "320541233923630346834154734956496733163", "202631272764675394680956391840058077493", "243061362058009448676973882299326377162", "238501888443216630621238060778489225052", "178079023027271959098311003806153213111", "19133696009838323328716784047670884193", "267647492356734506682515159457664855338" ] }, "deprecated": false, "signature_version": "v1" } ] }