summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhillip Lougher <phillip@lougher.demon.co.uk>2010-04-23 13:18:11 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2010-05-12 14:57:10 -0700
commit46cdf2a8b9d5b105f609469e0caf9dc2336d7e22 (patch)
treed7eb6ed78b680b27d1a97fcb77e1989b5af4fe64
parentdc1429f8aef9acfa88920311d045c54bc97b062f (diff)
downloadlwn-46cdf2a8b9d5b105f609469e0caf9dc2336d7e22.tar.gz
lwn-46cdf2a8b9d5b105f609469e0caf9dc2336d7e22.zip
initramfs: handle unrecognised decompressor when unpacking
commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream. The unpack routine fails to handle the decompress_method() returning unrecognised decompressor (compress_name == NULL). This results in the routine looping eventually oopsing on an out of bounds memory access. Note this bug is usually hidden, only triggering on trailing junk after one or more correct compressed blocks. The case of the compressed archive being complete junk is (by accident?) caught by the if (state != Reset) check because state is initialised to Start, but not updated due to the decompressor not having been called. Obviously if the junk is trailing a correctly decompressed buffer, state == Reset from the previous call to the decompressor. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--init/initramfs.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/init/initramfs.c b/init/initramfs.c
index 4c00edc59689..1fd59b81dd9a 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -455,7 +455,8 @@ static char * __init unpack_to_rootfs(char *buf, unsigned len)
compress_name);
message = msg_buf;
}
- }
+ } else
+ error("junk in compressed archive");
if (state != Reset)
error("junk in compressed archive");
this_header = saved_offset + my_inptr;