git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Phillip Lougher <phillip@lougher.org.uk>
	Sat, 30 Dec 2006 23:28:06 +0000 (18:28 -0500)
committer	Chris Wright <chrisw@sous-sol.org>
	Wed, 10 Jan 2007 19:05:21 +0000 (11:05 -0800)
commit	fe89cf78648bf9f87b7fb26c4a7d3bc410718f06
tree	a525068e4d72b474dd9366c422ad08ab3c223320	tree \| snapshot
parent	eaca4fd8265aa05c5b07aaa425e058abd0aa38d5	commit \| diff

[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().

This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data.  Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.

Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>