summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhillip Lougher <phillip@lougher.org.uk>2007-01-08 07:02:45 +0100
committerAdrian Bunk <bunk@stusta.de>2007-01-09 03:23:34 +0100
commitd1f34c8e3fa155c1ae9599cd67a60debac66f6c0 (patch)
tree799a91b58ca2ff898674db0eb4da3bfa5f1a80b4
parent04900014a73e4275a44f58bf55bc6cca8a65bc4d (diff)
downloadlwn-d1f34c8e3fa155c1ae9599cd67a60debac66f6c0.tar.gz
lwn-d1f34c8e3fa155c1ae9599cd67a60debac66f6c0.zip
corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops is an unchecked corrupted block length field read by cramfs_readpage(). This patch adds a sanity check to cramfs_readpage() which checks that the block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is intentional, even though the uncompressed data is not going to be larger than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than the original source data. Mkcramfs checks that the compressed size is always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could use the original uncompressed data in this case, but it doesn't. Signed-off-by: Phillip Lougher <phillip@lougher.org.uk> Signed-off-by: Adrian Bunk <bunk@stusta.de>
-rw-r--r--fs/cramfs/inode.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
index 8ad52f5bf255..30fdd5dc73bd 100644
--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -482,6 +482,8 @@ static int cramfs_readpage(struct file *file, struct page * page)
pgdata = kmap(page);
if (compr_len == 0)
; /* hole */
+ else if (compr_len > (PAGE_CACHE_SIZE << 1))
+ printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
else {
down(&read_mutex);
bytes_filled = cramfs_uncompress_block(pgdata,