rpms/kernel/FC-6 linux-2.6-fs-cramfs-corruption-oops.patch, NONE, 1.1 kernel-2.6.spec, 1.2843, 1.2844

Thu Nov 9 23:45:54 UTC 2006

Author: davej

Update of /cvs/dist/rpms/kernel/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv6273

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6-fs-cramfs-corruption-oops.patch 
Log Message:
Fix up oops in cramfs when encountering corrupt images.

linux-2.6-fs-cramfs-corruption-oops.patch:
 inode.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletion(-)

--- NEW FILE linux-2.6-fs-cramfs-corruption-oops.patch ---

Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ 
fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause  
Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the  
oops is an unchecked corrupted block length field read by  
cramfs_readpage().

This patch adds a sanity check to cramfs_readpage() which checks that  
the block length field is sensible.   The (PAGE_CACHE_SIZE << 1) size  
check is intentional, even though the uncompressed data is not going  
to be larger than PAGE_CACHE_SIZE, gzip sometimes generates  
compressed data larger than the original source data. Mkcramfs checks  
that the compressed size is always less than or equal to  
PAGE_CACHE_SIZE << 1.  Of course Cramfs could use the original  
uncompressed data in this case, but it doesn't.

Patch is against 2.6.19-rc4.

Signed-off-by:  Phillip Lougher <phillip <at> lougher.org.uk>

diff -Nurp a/fs/cramfs/inode.c b/fs/cramfs/inode.c
--- a/fs/cramfs/inode.c	2006-11-05 00:59:53.000000000 +0000
+++ b/fs/cramfs/inode.c	2006-11-05 03:17:43.000000000 +0000
@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *
		pgdata = kmap(page);
		if (compr_len == 0)
			; /* hole */
+		else if (compr_len > (PAGE_CACHE_SIZE << 1))
+			printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
		else {
			mutex_lock(&read_mutex);
			bytes_filled = cramfs_uncompress_block(pgdata,


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-6/kernel-2.6.spec,v
retrieving revision 1.2843
retrieving revision 1.2844
diff -u -r1.2843 -r1.2844
--- kernel-2.6.spec	9 Nov 2006 23:42:33 -0000	1.2843
+++ kernel-2.6.spec	9 Nov 2006 23:45:42 -0000	1.2844
@@ -493,6 +493,7 @@
 Patch1740: linux-2.6-softlockup-disable.patch
 Patch1750: linux-2.6-usb-storage-reboot.patch
 Patch1760: linux-2.6-fs-grow_buffers-limit.patch
+Patch1761: linux-2.6-fs-cramfs-corruption-oops.patch
 Patch1770: linux-2.6-optimise-spinlock-debug.patch
 Patch1771: linux-2.6-silence-noise.patch
 Patch1780: linux-2.6-ehea-ethernet-driver.patch
@@ -1133,6 +1134,8 @@
 %patch1750 -p1
 # CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service
 %patch1760 -p1
+# Fix up oops in cramfs when encountering corrupt images.
+%patch1761 -p1
 # Speed up spinlock debug.
 %patch1770 -p1
 # Silence some useless messages that still get printed with 'quiet'
@@ -2072,6 +2075,7 @@
 - splice : Must fully check for FIFO
 - Fix potential NULL dereference in sys_move_pages
 - ISO9660 __find_get_block_slow() denial of service CVE-2006-5757
+- Fix up oops in cramfs when encountering corrupt images.
 
 * Mon Nov  6 2006 Roland McGrath <roland at redhat.com>
 - New utrace patch: fix locking snafu crash on second engine attach.


