Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 104639 Details for
Bug 158783
Linux 2.6.x zlib_inflate memory corruption (CVE-2006-5823)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
1910_cramfs-block-corruption.patch (text/plain), 1.67 KB, created by
Daniel Drake (RETIRED)
on 2006-12-23 08:33:41 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Daniel Drake (RETIRED)
Created:
2006-12-23 08:33:41 UTC
Size:
1.67 KB
patch
obsolete
>From: Phillip Lougher <phillip@lougher.org.uk> >Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800) >Subject: [PATCH] corrupted cramfs filesystems cause kernel oops >X-Git-Tag: v2.6.20-rc1 >X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8bb0269160df2a60764013994d0bc5165406cf4a > >[PATCH] corrupted cramfs filesystems cause kernel oops > >Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ >fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause >Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops >is an unchecked corrupted block length field read by cramfs_readpage(). > >This patch adds a sanity check to cramfs_readpage() which checks that the >block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is >intentional, even though the uncompressed data is not going to be larger >than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than >the original source data. Mkcramfs checks that the compressed size is >always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could >use the original uncompressed data in this case, but it doesn't. > >Signed-off-by: Phillip Lougher <phillip@lougher.org.uk> >Signed-off-by: Andrew Morton <akpm@osdl.org> >Signed-off-by: Linus Torvalds <torvalds@osdl.org> >--- > >--- a/fs/cramfs/inode.c >+++ b/fs/cramfs/inode.c >@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file * > pgdata = kmap(page); > if (compr_len == 0) > ; /* hole */ >+ else if (compr_len > (PAGE_CACHE_SIZE << 1)) >+ printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len); > else { > mutex_lock(&read_mutex); > bytes_filled = cramfs_uncompress_block(pgdata,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=104639">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 158783
: 104639
