[PATCH] corrupted cramfs filesystems cause kernel oops
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops is an unchecked corrupted block length field read by cramfs_readpage(). This patch adds a sanity check to cramfs_readpage() which checks that the block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is intentional, even though the uncompressed data is not going to be larger than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than the original source data. Mkcramfs checks that the compressed size is always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could use the original uncompressed data in this case, but it doesn't. Signed-off-by: Phillip Lougher <phillip@lougher.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
2e591bbc0d
commit
8bb0269160
|
@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page)
|
||||||
pgdata = kmap(page);
|
pgdata = kmap(page);
|
||||||
if (compr_len == 0)
|
if (compr_len == 0)
|
||||||
; /* hole */
|
; /* hole */
|
||||||
|
else if (compr_len > (PAGE_CACHE_SIZE << 1))
|
||||||
|
printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
|
||||||
else {
|
else {
|
||||||
mutex_lock(&read_mutex);
|
mutex_lock(&read_mutex);
|
||||||
bytes_filled = cramfs_uncompress_block(pgdata,
|
bytes_filled = cramfs_uncompress_block(pgdata,
|
||||||
|
|
Loading…
Reference in New Issue