Valgrind: uninit bug in lzo1x_decompress_safe() (SECURITY?)
Brought to you by:
mfx
Menu
▾
▴
#1 Valgrind: uninit bug in lzo1x_decompress_safe() (SECURITY?)
Valgrind reports a bug: lzo1x_decompress_safe() reads an uninitialized value. This is 100% reproducible.
To reproduce, download this file:
http://www.cs.berkeley.edu/~daw/tmp/bug3.lzo
Now run valgrind lzop -d bug3.lzo. You get:
==27446== Memcheck, a memory error detector.
==27446== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==27446== Using LibVEX rev 1804, a library for dynamic binary translation.
==27446== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==27446== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==27446== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==27446== For more details, rerun with: -v
==27446==
==27446== Conditional jump or move depends on uninitialised value(s)
==27446== at 0x3D53E1415B: lzo1x_decompress_safe (lzo1x_d.ch:333)
==27446== by 0x4083D9: lzo_decompress (p_lzo.c:516)
==27446== by 0x4073B0: x_decompress (compress.c:315)
==27446== by 0x405FE6: do_decompress (lzop.c:2035)
==27446== by 0x40648E: do_one_file (lzop.c:2053)
==27446== by 0x406B69: main (lzop.c:2115)
lzop: bug3.lzo: Compressed data violation
==27446==
==27446== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 1)
In general this kind of uninitialized use bug can represent a potential for a security vulnerability. I have not analyzed whether this particular bug has any security implications, but because of this risk, I am marking this bug as private for now so that you can investigate and push out a security patch should this represent a security risk. I plan to mark this bug as public on July 17th, unless I hear otherwise.
Reproduced on Fedora 9 x86_64 with these RPMs:
lzop-1.02-0.6.rc1.fc9.x86_64
lzo-2.02-5.fc9.x86_64
lzo-debuginfo-2.02-5.fc9.x86_64
Logged In: YES
user_id=1126722
Originator: YES
Here's another file that triggers the same Valgrind warning:
http://www.cs.berkeley.edu/~daw/tmp/bug8.lzo
I suspect it's the same bug, but I thought I'd provide one more sample file in case it helps with debugging/tracing the bug.