* [OE-core][PATCH] lz4: fix CVE-2025-62813
@ 2025-10-27 18:27 David Nyström
0 siblings, 0 replies; 2+ messages in thread
From: David Nyström @ 2025-10-27 18:27 UTC (permalink / raw)
To: openembedded-core; +Cc: David Nyström
Prevent attackers to cause a denial of service (application crash) or
possibly have unspecified other impact when the application processes
untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in
lib/lz4frame.c mishandles NULL checks.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62813
Upstream patch:
https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82
Signed-off-by: David Nyström <david.nystrom@est.tech>
---
.../lz4/files/CVE-2025-62813.patch | 73 +++++++++++++++++++
meta/recipes-support/lz4/lz4_1.9.4.bb | 5 +-
2 files changed, 76 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch
diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
new file mode 100644
index 0000000000..bbd0f74541
--- /dev/null
+++ b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
@@ -0,0 +1,73 @@
+From 10dbd089b74cf858a24a4aa4c2a438984ddf17d7 Mon Sep 17 00:00:00 2001
+From: louislafosse <louis.lafosse@epitech.eu>
+Date: Mon, 31 Mar 2025 20:48:52 +0200
+Subject: [PATCH] fix(null) : improve error handlings when passing a null
+ pointer to some functions from lz4frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport [Upstream commit https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
+CVE: CVE-2025-62813
+
+Signed-off-by: David Nyström <david.nystrom@est.tech>
+---
+ lib/lz4frame.c | 15 +++++++++++++--
+ tests/frametest.c | 9 ++++++---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/lib/lz4frame.c b/lib/lz4frame.c
+index 174f9ae4..cc6ed6f1 100644
+--- a/lib/lz4frame.c
++++ b/lib/lz4frame.c
+@@ -530,9 +530,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+ const char* dictStart = (const char*)dictBuffer;
+- LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++ LZ4F_CDict* cdict = NULL;
++
+ DEBUGLOG(4, "LZ4F_createCDict_advanced");
+- if (!cdict) return NULL;
++
++ if (!dictStart)
++ return NULL;
++ cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++ if (!cdict)
++ return NULL;
++
+ cdict->cmem = cmem;
+ if (dictSize > 64 KB) {
+ dictStart += dictSize - 64 KB;
+@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
+ LZ4F_frameInfo_t* frameInfoPtr,
+ const void* srcBuffer, size_t* srcSizePtr)
+ {
++ assert(dctx != NULL);
++ RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
++ RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
++
+ LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+ if (dctx->dStage > dstage_storeFrameHeader) {
+ /* frameInfo already decoded */
+diff --git a/tests/frametest.c b/tests/frametest.c
+index 33019551..523e35d1 100644
+--- a/tests/frametest.c
++++ b/tests/frametest.c
+@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility)
+ size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+ size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+ size_t cSizeNoDict, cSizeWithDict;
+- LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+- if (cdict == NULL) goto _output_error;
+- CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++ LZ4F_CDict* cdict = NULL;
+
++ CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++ cdict = LZ4F_createCDict(CNBuffer, dictSize);
++ if (cdict == NULL)
++ goto _output_error;
++
+ DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+ { LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+ if (cda == NULL) goto _output_error;
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index 51a854d44a..8c96f9bab4 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -13,8 +13,9 @@ PE = "1"
SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964"
SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
- file://run-ptest \
- "
+ file://run-ptest \
+ file://CVE-2025-62813.patch \
+ "
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
S = "${WORKDIR}/git"
--
2.48.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core][PATCH] lz4: fix CVE-2025-62813
[not found] <18726C77CAC4BE8F.2174@lists.openembedded.org>
@ 2025-10-27 19:56 ` David Nyström
0 siblings, 0 replies; 2+ messages in thread
From: David Nyström @ 2025-10-27 19:56 UTC (permalink / raw)
To: David Nyström; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4982 bytes --]
Whoops, scratch this patch. It was meant not meant for master,
but for scarthgap.
Br,
David
On Mon, 27 Oct 2025, David Nyström via lists.openembedded.org wrote:
> Prevent attackers to cause a denial of service (application crash) or
> possibly have unspecified other impact when the application processes
> untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in
> lib/lz4frame.c mishandles NULL checks.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2025-62813
>
> Upstream patch:
> https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82
>
> Signed-off-by: David Nyström <david.nystrom@est.tech>
> ---
> .../lz4/files/CVE-2025-62813.patch | 73 +++++++++++++++++++
> meta/recipes-support/lz4/lz4_1.9.4.bb | 5 +-
> 2 files changed, 76 insertions(+), 2 deletions(-)
> create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch
>
> diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
> new file mode 100644
> index 0000000000..bbd0f74541
> --- /dev/null
> +++ b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
> @@ -0,0 +1,73 @@
> +From 10dbd089b74cf858a24a4aa4c2a438984ddf17d7 Mon Sep 17 00:00:00 2001
> +From: louislafosse <louis.lafosse@epitech.eu>
> +Date: Mon, 31 Mar 2025 20:48:52 +0200
> +Subject: [PATCH] fix(null) : improve error handlings when passing a null
> + pointer to some functions from lz4frame
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Upstream-Status: Backport [Upstream commit https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
> +CVE: CVE-2025-62813
> +
> +Signed-off-by: David Nyström <david.nystrom@est.tech>
> +---
> + lib/lz4frame.c | 15 +++++++++++++--
> + tests/frametest.c | 9 ++++++---
> + 2 files changed, 19 insertions(+), 5 deletions(-)
> +
> +diff --git a/lib/lz4frame.c b/lib/lz4frame.c
> +index 174f9ae4..cc6ed6f1 100644
> +--- a/lib/lz4frame.c
> ++++ b/lib/lz4frame.c
> +@@ -530,9 +530,16 @@ LZ4F_CDict*
> + LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
> + {
> + const char* dictStart = (const char*)dictBuffer;
> +- LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
> ++ LZ4F_CDict* cdict = NULL;
> ++
> + DEBUGLOG(4, "LZ4F_createCDict_advanced");
> +- if (!cdict) return NULL;
> ++
> ++ if (!dictStart)
> ++ return NULL;
> ++ cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
> ++ if (!cdict)
> ++ return NULL;
> ++
> + cdict->cmem = cmem;
> + if (dictSize > 64 KB) {
> + dictStart += dictSize - 64 KB;
> +@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
> + LZ4F_frameInfo_t* frameInfoPtr,
> + const void* srcBuffer, size_t* srcSizePtr)
> + {
> ++ assert(dctx != NULL);
> ++ RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
> ++ RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
> ++
> + LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
> + if (dctx->dStage > dstage_storeFrameHeader) {
> + /* frameInfo already decoded */
> +diff --git a/tests/frametest.c b/tests/frametest.c
> +index 33019551..523e35d1 100644
> +--- a/tests/frametest.c
> ++++ b/tests/frametest.c
> +@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility)
> + size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
> + size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
> + size_t cSizeNoDict, cSizeWithDict;
> +- LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
> +- if (cdict == NULL) goto _output_error;
> +- CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
> ++ LZ4F_CDict* cdict = NULL;
> +
> ++ CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
> ++ cdict = LZ4F_createCDict(CNBuffer, dictSize);
> ++ if (cdict == NULL)
> ++ goto _output_error;
> ++
> + DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
> + { LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
> + if (cda == NULL) goto _output_error;
> diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
> index 51a854d44a..8c96f9bab4 100644
> --- a/meta/recipes-support/lz4/lz4_1.9.4.bb
> +++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
> @@ -13,8 +13,9 @@ PE = "1"
> SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964"
>
> SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
> - file://run-ptest \
> - "
> + file://run-ptest \
> + file://CVE-2025-62813.patch \
> + "
> UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
>
> S = "${WORKDIR}/git"
> --
> 2.48.1
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-27 19:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <18726C77CAC4BE8F.2174@lists.openembedded.org>
2025-10-27 19:56 ` [OE-core][PATCH] lz4: fix CVE-2025-62813 David Nyström
2025-10-27 18:27 David Nyström
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox