]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
authorPhillip Lougher <phillip@lougher.org.uk>
Sat, 30 Dec 2006 23:28:06 +0000 (18:28 -0500)
committerChris Wright <chrisw@sous-sol.org>
Wed, 10 Jan 2007 19:05:21 +0000 (11:05 -0800)
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().

This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data.  Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.

Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
fs/cramfs/inode.c

index a624c3ec81892870545cd80bea3f22c91069c2ab..0509cedd415c41d5db51fb0db26096f510067f5b 100644 (file)
@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page)
                pgdata = kmap(page);
                if (compr_len == 0)
                        ; /* hole */
+               else if (compr_len > (PAGE_CACHE_SIZE << 1))
+                       printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
                else {
                        mutex_lock(&read_mutex);
                        bytes_filled = cramfs_uncompress_block(pgdata,