Commit d1f34c8e authored by Phillip Lougher's avatar Phillip Lougher Committed by Adrian Bunk

corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().

This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data.  Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.
Signed-off-by: default avatarPhillip Lougher <phillip@lougher.org.uk>
Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
parent 04900014
...@@ -482,6 +482,8 @@ static int cramfs_readpage(struct file *file, struct page * page) ...@@ -482,6 +482,8 @@ static int cramfs_readpage(struct file *file, struct page * page)
pgdata = kmap(page); pgdata = kmap(page);
if (compr_len == 0) if (compr_len == 0)
; /* hole */ ; /* hole */
else if (compr_len > (PAGE_CACHE_SIZE << 1))
printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
else { else {
down(&read_mutex); down(&read_mutex);
bytes_filled = cramfs_uncompress_block(pgdata, bytes_filled = cramfs_uncompress_block(pgdata,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment