From: Phillip Lougher Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800) Subject: [PATCH] corrupted cramfs filesystems cause kernel oops X-Git-Tag: v2.6.20-rc1~145^2^2~167 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8bb0269160df2a60764013994d0bc5165406cf4a;p=linux-2.6 [PATCH] corrupted cramfs filesystems cause kernel oops Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops is an unchecked corrupted block length field read by cramfs_readpage(). This patch adds a sanity check to cramfs_readpage() which checks that the block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is intentional, even though the uncompressed data is not going to be larger than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than the original source data. Mkcramfs checks that the compressed size is always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could use the original uncompressed data in this case, but it doesn't. Signed-off-by: Phillip Lougher Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c index a624c3ec81..0509cedd41 100644 --- a/fs/cramfs/inode.c +++ b/fs/cramfs/inode.c @@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page) pgdata = kmap(page); if (compr_len == 0) ; /* hole */ + else if (compr_len > (PAGE_CACHE_SIZE << 1)) + printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len); else { mutex_lock(&read_mutex); bytes_filled = cramfs_uncompress_block(pgdata,