[patch 5/8] Check input buffer size in zisofs

-stable review patch.  If anyone has any  objections, please let us know.
------------------


It's not the real deflateBound() in newer zlib libraries, partly because
the upcoming usage of it won't have the "stream" available, so we can't
have the same interfaces anyway.

This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.

Problem noted by Tim Yamin <[email protected]>

Signed-off-by: Chris Wright <[email protected]>
---
 fs/isofs/compress.c  |    6 ++++++
 include/linux/zlib.h |    5 +++++
 2 files changed, 11 insertions(+)

Index: linux-2.6.12.y/include/linux/zlib.h
===================================================================
--- linux-2.6.12.y.orig/include/linux/zlib.h
+++ linux-2.6.12.y/include/linux/zlib.h
@@ -506,6 +506,11 @@ extern int zlib_deflateReset (z_streamp 
    stream state was inconsistent (such as zalloc or state being NULL).
 */
 
+static inline unsigned long deflateBound(unsigned long s)
+{
+	return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
+}
+
 extern int zlib_deflateParams (z_streamp strm, int level, int strategy);
 /*
      Dynamically update the compression level and compression strategy.  The
Index: linux-2.6.12.y/fs/isofs/compress.c
===================================================================
--- linux-2.6.12.y.orig/fs/isofs/compress.c
+++ linux-2.6.12.y/fs/isofs/compress.c
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *
 	cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
 	brelse(bh);
 
+	if (cstart > cend)
+		goto eio;
+		
 	csize = cend-cstart;
 
+	if (csize > deflateBound(1UL << zisofs_block_shift))
+		goto eio;
+
 	/* Now page[] contains an array of pages, any of which can be NULL,
 	   and the locks on which we hold.  We should now read the data and
 	   release the pages.  If the pages are NULL the decompressed data

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [patch 5/8] Check input buffer size in zisofs
    • From: "H. Peter Anvin" <[email protected]>

• References:
  • [patch 0/8] -stable review
    • From: Chris Wright <[email protected]>

• Prev by Date: [patch 4/8] [PATCH] Update in-kernel zlib routines
• Next by Date: [patch 6/8] CAN-2005-2098 Error during attempt to join key management session can leave semaphore pinned
• Previous by thread: Re: [patch 4/8] [PATCH] Update in-kernel zlib routines
• Next by thread: Re: [patch 5/8] Check input buffer size in zisofs
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]