releases/2.6.19.2/corrupted-cramfs-filesystems-cause-kernel-oops.patch

   1 From stable-bounces@linux.kernel.org  Sat Dec 30 15:33:45 2006
   2 Message-ID: <4596F606.2090504@gentoo.org>
   3 Date: Sat, 30 Dec 2006 18:28:06 -0500
   4 From: Daniel Drake <dsd@gentoo.org>
   5 To: stable@kernel.org
   6 Cc: phillip@lougher.org.uk
   7 Subject: corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
   8
   9 From: Phillip Lougher <phillip@lougher.org.uk>
  10
  11 Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
  12 fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
  13 Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
  14 is an unchecked corrupted block length field read by cramfs_readpage().
  15
  16 This patch adds a sanity check to cramfs_readpage() which checks that the
  17 block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
  18 intentional, even though the uncompressed data is not going to be larger
  19 than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
  20 the original source data.  Mkcramfs checks that the compressed size is
  21 always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
  22 use the original uncompressed data in this case, but it doesn't.
  23
  24 Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
  25 Signed-off-by: Andrew Morton <akpm@osdl.org>
  26 Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  27 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  28 ---
  29 Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800)
  30 Subject: [PATCH] corrupted cramfs filesystems cause kernel oops
  31 X-Git-Tag: v2.6.20-rc1
  32 X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8bb0269160df2a60764013994d0bc5165406cf4a
  33
  34  fs/cramfs/inode.c |    2 ++
  35  1 file changed, 2 insertions(+)
  36
  37 --- linux-2.6.19.1.orig/fs/cramfs/inode.c
  38 +++ linux-2.6.19.1/fs/cramfs/inode.c
  39 @@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *
  40                 pgdata = kmap(page);
  41                 if (compr_len == 0)
  42                         ; /* hole */
  43 +               else if (compr_len > (PAGE_CACHE_SIZE << 1))
  44 +                       printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
  45                 else {
  46                         mutex_lock(&read_mutex);
  47                         bytes_filled = cramfs_uncompress_block(pgdata,