diff options
| author | Phillip Lougher <phillip@lougher.org.uk> | 2006-12-30 18:28:06 -0500 |
|---|---|---|
| committer | Chris Wright <chrisw@sous-sol.org> | 2007-01-10 11:05:21 -0800 |
| commit | fe89cf78648bf9f87b7fb26c4a7d3bc410718f06 (patch) | |
| tree | a525068e4d72b474dd9366c422ad08ab3c223320 /fs | |
| parent | eaca4fd8265aa05c5b07aaa425e058abd0aa38d5 (diff) | |
[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().
This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data. Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.
Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/cramfs/inode.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c index a624c3ec818..0509cedd415 100644 --- a/fs/cramfs/inode.c +++ b/fs/cramfs/inode.c @@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page) pgdata = kmap(page); if (compr_len == 0) ; /* hole */ + else if (compr_len > (PAGE_CACHE_SIZE << 1)) + printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len); else { mutex_lock(&read_mutex); bytes_filled = cramfs_uncompress_block(pgdata, |