lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.2.00.0903111237410.32478@localhost.localdomain>
Date:	Wed, 11 Mar 2009 12:50:58 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Phillip Lougher <phillip@...gher.demon.co.uk>
cc:	akpm@...ux-foundation.org, Geert.Uytterhoeven@...ycom.com,
	linux-kernel@...r.kernel.org, s.L-H@....de
Subject: Re: [GIT-PULL] More Squashfs fixes for 2.6.29?



On Wed, 11 Mar 2009, Phillip Lougher wrote:
> 
> Squashfs: Valid filesystems are flagged as bad by the corrupted fs patch
> 
> The problem arises due to an unexpected corner-case with zlib which the
> corrupted filesystems patch didn't address.  Very occasionally zlib
> exits needing a couple of extra bytes of input (up to 6 seen bytes in the
> test filesystems), but with avail_out == 0 and no more output buffer
> space available.  This situation was incorrectly flagged as an output buffer
> overrun by the corrupted filesystems patch.

I'm almost certain that this situation is caused by a bug in how you call 
zlib().

You've explicitly asked for Z_NO_FLUSH, and I suspect you should be using 
Z_SYNC_FLUSH (of Z_FINISH if you know you have all the input data). You 
want as much to be inflated as possible, and you do seem to be expecting 
it to flush as much as possible. 

However, I think the more direct cause is your inflate loop. The rules for 
running inflate() is to call it until it is done, or returns an error:

    inflate() should normally be called until it returns Z_STREAM_END or an
  error. However if all decompression is to be performed in a single step
  (a single call of inflate), the parameter flush should be set to
  Z_FINISH.

so you seem to be doing this all wrong. I think you _should_ be doing an 
inner loop over zlib_inflate() that just does inflates until you get a 
buffer error, and if you get a buffer error you then go on to the next 
page if avail_out is zero (all done if it's the last page), or fill the 
input buffer if it's empty.

So I really think you should fix the zlib_inflate() loop instead.

I dunno. At least that's what the docs suggest, and it's what we do in 
git (another heavy user of zlib, althoughb the usage patterns are rather 
different, and we _tend_ to 

			Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ