lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201011231219.14850.lasse.collin@tukaani.org>
Date:	Tue, 23 Nov 2010 12:19:14 +0200
From:	Lasse Collin <lasse.collin@...aani.org>
To:	linux-kernel@...r.kernel.org
Cc:	"H. Peter Anvin" <hpa@...or.com>, Alain Knaff <alain@...ff.lu>,
	Albin Tonnerre <albin.tonnerre@...e-electrons.com>,
	Phillip Lougher <phillip@...gher.demon.co.uk>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH 2/4] Decompressors: Check for read errors in decompress_unlzma.c

From: Lasse Collin <lasse.collin@...aani.org>

Return value of rc->fill() is checked in rc_read() and error()
is called when needed, but then the code continues as if nothing
had happened.

rc_read() is a void function and it's on the top of performance
critical call stacks, so propagating the error code via return
values doesn't sound like the best fix. It seems better to check
rc->buffer_size (which holds the return value of rc->fill()) in
the main loop. It does nothing bad that the code runs a little
with unknown data after a failed rc->fill().

This fixes an infinite loop in initramfs decompression if the
LZMA-compressed initramfs image is corrupt.

Signed-off-by: Lasse Collin <lasse.collin@...aani.org>
---

--- linux-2.6.37-rc3/lib/decompress_unlzma.c.orig	2010-11-23 11:07:28.000000000 +0200
+++ linux-2.6.37-rc3/lib/decompress_unlzma.c	2010-11-23 11:10:07.000000000 +0200
@@ -637,6 +637,8 @@ STATIC inline int INIT unlzma(unsigned c
 			if (cst.rep0 == 0)
 				break;
 		}
+		if (rc.buffer_size <= 0)
+			goto exit_3;
 	}
 
 	if (posp)
@@ -644,6 +646,7 @@ STATIC inline int INIT unlzma(unsigned c
 	if (wr.flush)
 		wr.flush(wr.buffer, wr.buffer_pos);
 	ret = 0;
+exit_3:
 	large_free(p);
 exit_2:
 	if (!output)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ