Bug 1112436 (CVE-2014-4611) - CVE-2014-4611 lz4: LZ4_decompress_generic() integer overflow
Summary: CVE-2014-4611 lz4: LZ4_decompress_generic() integer overflow
Alias: CVE-2014-4611
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1113869 1113870 1113884
Blocks: 1112414
TreeView+ depends on / blocked
Reported: 2014-06-24 00:22 UTC by Kurt Seifried
Modified: 2021-02-17 06:27 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-30 04:19:14 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2014-06-24 00:22:34 UTC
Don A. Bailey of Lab Mouse Security reported an integer overflow issue in various implementations of LZO (Lempel–Ziv–Oberhumer) and LZ4 compression algorithms.  The issue is in the handling of "literal runs" during decompression, and can lead to application crash and, possibly, code execution.

This bug is for LZ4 and LZ4 copy embedded in the Linux kernel (as of version 3.11).

This issue can not be triggered on 64bit systems today, as it would require input of the size that is beyond capabilities of modern computers.  On 32bit systems, this can only affect applications using sufficiently large decompression blocks (16mb+).

Comment 1 Murray McAllister 2014-06-27 06:06:23 UTC
Created lz4 tracking bugs for this issue:

Affects: fedora-all [bug 1113869]
Affects: epel-all [bug 1113870]

Comment 2 Murray McAllister 2014-06-27 06:06:43 UTC
This issue is public:


Comment 3 Petr Matousek 2014-06-27 07:00:22 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1113884]

Comment 4 Petr Matousek 2014-06-27 07:13:37 UTC

Not vulnerable. This issue does not affect the kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise Linux MRG 2.

Comment 5 Josh Boyer 2014-06-27 11:45:22 UTC
I believe this is fixed upstream with:


Which has been backported to the stable kernels with commits:

3.14.y: 5f32449c2863adf190b83402e9a4069cee054f9d
3.15.y: 80fdb886fefbc782195ed2c0bd757ea202e05953

Comment 6 Tomas Hoger 2014-06-30 14:35:11 UTC
Blog posts from Don A. Bailey, the original reporter of this issue:


Reporter's security reports for both LZ4 upstream, and embedded copy as used in the Linux kernel:


Feedback from the LZ4 upstream, which indicates there are no application known to be affected by this flaw, as the issue is only exploitable when application uses large decompression blocks (16mb+).  LZ4 file format does not allow blocks of such size.


LZ4 upstream bugs report, an independent report from Ludwig Strigeus, which pre-dates Don A. Bailey's report:


LZ4 upstream fix:


The above fix was applied to LZ4 upstream repository with other changes as part of this commit:


Test case from the above LZ4 upstream bug report:


Note You need to log in before you can comment on or make changes to this bug.