Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the
oops is an unchecked corrupted block length field read by
cramfs_readpage().
This patch adds a sanity check to cramfs_readpage() which checks that
the block length field is sensible. The (PAGE_CACHE_SIZE << 1) size
check is intentional, even though the uncompressed data is not going
to be larger than PAGE_CACHE_SIZE, gzip sometimes generates
compressed data larger than the original source data. Mkcramfs checks
that the compressed size is always less than or equal to
PAGE_CACHE_SIZE << 1. Of course Cramfs could use the original
uncompressed data in this case, but it doesn't.
Patch is against 2.6.19-rc4.
Signed-off-by: Phillip Lougher <phillip <at> lougher.org.uk>
diff -Nurp a/fs/cramfs/inode.c b/fs/cramfs/inode.c
--- a/fs/cramfs/inode.c 2006-11-05 00:59:53.000000000 +0000
+++ b/fs/cramfs/inode.c 2006-11-05 03:17:43.000000000 +0000
@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *
pgdata = kmap(page);
if (compr_len == 0)
; /* hole */
+ else if (compr_len > (PAGE_CACHE_SIZE << 1))
+ printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
else {
mutex_lock(&read_mutex);
bytes_filled = cramfs_uncompress_block(pgdata,
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
