Menu

#2 Valgrind: More uninit in lzo1x_decompress_safe() (SECURITY?)

open
nobody
None
5
2008-07-10
2008-07-10
David Wagner
No

Valgrind reports multiple warnings: lzo1x_decompress_safe() read and uses uninitialized values. This is 100% reproducible.

To reproduce, download this file:
http://www.cs.berkeley.edu/~daw/tmp/bug4.lzo
Now run valgrind lzop -d bug4.lzo. You get:

==28708== Memcheck, a memory error detector.
==28708== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==28708== Using LibVEX rev 1804, a library for dynamic binary translation.
==28708== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==28708== Using valgrind-3.3.0, a dynamic binary instrumentation framework.
==28708== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==28708== For more details, rerun with: -v
==28708==
==28708== Conditional jump or move depends on uninitialised value(s)
==28708== at 0x3D53E13C8F: lzo1x_decompress_safe (lzo1x_d.ch:191)
==28708== by 0x4083D9: lzo_decompress (p_lzo.c:516)
==28708== by 0x4073B0: x_decompress (compress.c:315)
==28708== by 0x405FE6: do_decompress (lzop.c:2035)
==28708== by 0x40648E: do_one_file (lzop.c:2053)
==28708== by 0x406B69: main (lzop.c:2115)
==28708==
==28708== Conditional jump or move depends on uninitialised value(s)
==28708== at 0x3D53E13C98: lzo1x_decompress_safe (lzo1x_d.ch:191)
==28708== by 0x4083D9: lzo_decompress (p_lzo.c:516)
==28708== by 0x4073B0: x_decompress (compress.c:315)
==28708== by 0x405FE6: do_decompress (lzop.c:2035)
==28708== by 0x40648E: do_one_file (lzop.c:2053)
==28708== by 0x406B69: main (lzop.c:2115)
==28708==
==28708== Use of uninitialised value of size 8
==28708== at 0x3D53E13CB1: lzo1x_decompress_safe (lzo1x_d.ch:192)
==28708== by 0x4083D9: lzo_decompress (p_lzo.c:516)
==28708== by 0x4073B0: x_decompress (compress.c:315)
==28708== by 0x405FE6: do_decompress (lzop.c:2035)
==28708== by 0x40648E: do_one_file (lzop.c:2053)
==28708== by 0x406B69: main (lzop.c:2115)
lzop: bug4.lzo: Compressed data violation
==28708==
==28708== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 4 from 1)

In general this kind of uninitialized use bug can represent a potential for a security vulnerability. I have not analyzed whether this particular bug has any security implications, but because of this risk, I am marking this bug as private for now so that you can investigate and push out a security patch should this represent a security risk. I plan to mark this bug as
public on July 17th, unless I hear otherwise.

Reproduced on Fedora 9 x86_64 with these RPMs:
lzop-1.02-0.6.rc1.fc9.x86_64
lzo-2.02-5.fc9.x86_64
lzo-debuginfo-2.02-5.fc9.x86_64

See also bug #2015363.

Discussion

Log in to post a comment.

MongoDB Logo MongoDB