• Phillip Lougher's avatar
    corrupted cramfs filesystems cause kernel oops (CVE-2006-5823) · d1f34c8e
    Phillip Lougher authored
    Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
    fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
    Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
    is an unchecked corrupted block length field read by cramfs_readpage().
    
    This patch adds a sanity check to cramfs_readpage() which checks that the
    block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
    intentional, even though the uncompressed data is not going to be larger
    than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
    the original source data.  Mkcramfs checks that the compressed size is
    always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
    use the original uncompressed data in this case, but it doesn't.
    Signed-off-by: default avatarPhillip Lougher <phillip@lougher.org.uk>
    Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
    d1f34c8e
inode.c 13.9 KB