lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <70103A46-EDED-41CF-876F-8CFDC344C5ED@lougher.org.uk>
Date:	Sun, 5 Nov 2006 04:02:00 +0000
From:	Phillip Lougher <phillip@...gher.org.uk>
To:	linux-kernel@...r.kernel.org
Cc:	akpm@...l.org
Subject: [PATCH] corrupted cramfs filesystems cause kernel oops

Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ 
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause  
Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the  
oops is an unchecked corrupted block length field read by  
cramfs_readpage().

This patch adds a sanity check to cramfs_readpage() which checks that  
the block length field is sensible.   The (PAGE_CACHE_SIZE << 1) size  
check is intentional, even though the uncompressed data is not going  
to be larger than PAGE_CACHE_SIZE, gzip sometimes generates  
compressed data larger than the original source data. Mkcramfs checks  
that the compressed size is always less than or equal to  
PAGE_CACHE_SIZE << 1.  Of course Cramfs could use the original  
uncompressed data in this case, but it doesn't.

Patch is against 2.6.19-rc4.

Signed-off-by:  Phillip Lougher <phillip <at> lougher.org.uk>

diff -Nurp a/fs/cramfs/inode.c b/fs/cramfs/inode.c
--- a/fs/cramfs/inode.c	2006-11-05 00:59:53.000000000 +0000
+++ b/fs/cramfs/inode.c	2006-11-05 03:17:43.000000000 +0000
@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *
		pgdata = kmap(page);
		if (compr_len == 0)
			; /* hole */
+		else if (compr_len > (PAGE_CACHE_SIZE << 1))
+			printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
		else {
			mutex_lock(&read_mutex);
			bytes_filled = cramfs_uncompress_block(pgdata,


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ