diff options
| author |   Phillip Lougher <phillip@lougher.org.uk> | 2006-12-06 20:37:20 -0800 |
|---|---|---|
| committer |   Linus Torvalds <torvalds@woody.osdl.org> | 2006-12-07 08:39:36 -0800 |
| commit | 8bb0269160df2a60764013994d0bc5165406cf4a (patch) | |
| tree | 1d91813ab99469213ee72afe90e7341a58a7fa79 /security/keys/process_keys.c | |
| parent | [PATCH] Make initramfs printk a warning on incorrect cpio type (diff) | |
| download | linux-dev-8bb0269160df2a60764013994d0bc5165406cf4a.tar.xz linux-dev-8bb0269160df2a60764013994d0bc5165406cf4a.zip | |
[PATCH] corrupted cramfs filesystems cause kernel oops
Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
is an unchecked corrupted block length field read by cramfs_readpage().
This patch adds a sanity check to cramfs_readpage() which checks that the
block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
intentional, even though the uncompressed data is not going to be larger
than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
the original source data. Mkcramfs checks that the compressed size is
always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
use the original uncompressed data in this case, but it doesn't.
Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security/keys/process_keys.c')
0 files changed, 0 insertions, 0 deletions