diff options
author | Phillip Lougher <phillip@lougher.org.uk> | 2007-01-08 07:02:45 +0100 |
---|---|---|
committer | Adrian Bunk <bunk@stusta.de> | 2007-01-09 03:23:34 +0100 |
commit | d1f34c8e3fa155c1ae9599cd67a60debac66f6c0 (patch) | |
tree | 799a91b58ca2ff898674db0eb4da3bfa5f1a80b4 /Makefile | |
parent | 04900014a73e4275a44f58bf55bc6cca8a65bc4d (diff) |
corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().
This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data. Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.
Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Diffstat (limited to 'Makefile')
0 files changed, 0 insertions, 0 deletions