Bug 1185438 (CVE-2021-3520)

Summary: VUL-0: CVE-2021-3520: lz4: memory corruption due to an integer overflow bug caused by memmove argument
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/283025/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3520:8.6:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2021-04-29 06:29:21 UTC
rh#1954559

A vulnerability was found in lz4, where a potential memory corruption due to an integer overflow bug which caused one of the memmove arguments to become negative. Depending on how the library was compiled this will hit an assert() inside the library and dump core, leaving a 4GB core file, or it wil go into libc and crash inside the memmove() function.

Reference:
https://github.com/lz4/lz4/pull/972

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1954559
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3520
Comment 1 Alexander Bergmann 2021-04-29 06:54:43 UTC
SLE and openSUSE are all on version 1.8.0. Upstream released this version in 2017. In  the meantime quite some changes where introduced.

The upstream fix commit 8301a21773ef61656225e264f4f06ae14462bca7 is based on some other major changes that came in over the last couple years.

The following commit for example introduced a NULL pointer check for the source input data that is not yet present in our code.

8bea19d57c0db6d3d812c7acc3d1834762bce297

+  if (src == NULL) return -1;

So we have to check if a backport is actually doable here.
Comment 2 Petr Gajdos 2021-05-05 05:51:44 UTC
Alexander,

(In reply to Alexander Bergmann from comment #1)
> 8bea19d57c0db6d3d812c7acc3d1834762bce297
> 

8bea19d57c0db6d3d812c7acc3d1834762bce297 seems to be almost identation. So I propose to add:

> +  if (src == NULL) return -1;

plus

-    if (src == NULL) { return -1; }
+    if ((src == NULL) || (outputSize < 0)) { return -1; }

What do you think?

One additional check against NULL was added by 8bea19d57c0db6d3d812c7acc3d1834762bce297:

-    const BYTE* const dictEnd = (const BYTE*)dictStart + dictSize;
+    const BYTE* const dictEnd = (dictStart == NULL) ? NULL : dictStart + dictSize;

I can add it, too.
Comment 3 Petr Gajdos 2021-05-10 07:44:43 UTC
QA: I have not been successful in creating a testcase that would expose the issue to valgrind.

(In reply to Petr Gajdos from comment #2)
> 8bea19d57c0db6d3d812c7acc3d1834762bce297 seems to be almost identation. So I
> propose to add:
> 
> > +  if (src == NULL) return -1;
> 
> plus
> 
> -    if (src == NULL) { return -1; }
> +    if ((src == NULL) || (outputSize < 0)) { return -1; }
> 
> What do you think?
> 
> One additional check against NULL was added by
> 8bea19d57c0db6d3d812c7acc3d1834762bce297:
> 
> -    const BYTE* const dictEnd = (const BYTE*)dictStart + dictSize;
> +    const BYTE* const dictEnd = (dictStart == NULL) ? NULL : dictStart +
> dictSize;
> 
> I can add it, too.

Did so.
Comment 4 Petr Gajdos 2021-05-10 07:46:33 UTC
Packages submitted for: 12sp5,15/lz4

I believe all fixed.
Comment 9 Petr Gajdos 2021-05-14 08:45:16 UTC
Packages submitted for: 12sp5,15,15sp3/lz4

I believe all fixed.
Comment 11 Swamp Workflow Management 2021-05-14 19:16:09 UTC
SUSE-SU-2021:1613-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1153936,1185438
CVE References: CVE-2019-17543,CVE-2021-3520
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    lz4-1.8.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-05-19 16:33:00 UTC
SUSE-SU-2021:1647-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185438
CVE References: CVE-2021-3520
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    lz4-1.8.0-3.8.1
SUSE Manager Server 4.0 (src):    lz4-1.8.0-3.8.1
SUSE Manager Retail Branch Server 4.0 (src):    lz4-1.8.0-3.8.1
SUSE Manager Proxy 4.0 (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise Server for SAP 15 (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise Server 15-LTSS (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    lz4-1.8.0-3.8.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    lz4-1.8.0-3.8.1
SUSE Enterprise Storage 6 (src):    lz4-1.8.0-3.8.1
SUSE CaaS Platform 4.0 (src):    lz4-1.8.0-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-05-22 10:34:18 UTC
openSUSE-SU-2021:0760-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185438
CVE References: CVE-2021-3520
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    lz4-1.8.0-lp152.5.3.1, lz4-test-1.8.0-lp152.5.3.1
Comment 14 Swamp Workflow Management 2021-06-01 19:19:04 UTC
SUSE-SU-2021:1825-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185438
CVE References: CVE-2021-3520
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    lz4-1.9.2-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-07-10 23:17:59 UTC
openSUSE-SU-2021:1825-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1185438
CVE References: CVE-2021-3520
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    lz4-1.9.2-3.3.1
Comment 16 OBSbugzilla Bot 2021-10-04 08:40:11 UTC
This is an autogenerated message for OBS integration:
This bug (1185438) was mentioned in
https://build.opensuse.org/request/show/922939 Factory / lz4