From: Eric Sandeen <esandeen@redhat.com> Subject: [PATCH RHEL5] fix zlib_inflate oops due to corrupted cramfs image Date: Thu, 9 Nov 2006 11:26:07 -0600 Bugzilla: 214705 Message-Id: <200611091726.kA9HQ74f005094@neon.msp.redhat.com> Changelog: cramfs: fix zlib_inflate oops with corrupted image For BZ: 214705: [RHEL5] corrupted cramfs crashes in zlib_inflate This patch is upstream in the -mm tree. ----- Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops is an unchecked corrupted block length field read by cramfs_readpage(). This patch adds a sanity check to cramfs_readpage() which checks that the block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is intentional, even though the uncompressed data is not going to be larger than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than the original source data. Mkcramfs checks that the compressed size is always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could use the original uncompressed data in this case, but it doesn't. Signed-off-by: Phillip Lougher <phillip@lougher.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> --- fs/cramfs/inode.c | 2 ++ 1 files changed, 2 insertions(+) Index: linux-2.6.18-1.2732.el5/fs/cramfs/inode.c =================================================================== --- linux-2.6.18-1.2732.el5.orig/fs/cramfs/inode.c +++ linux-2.6.18-1.2732.el5/fs/cramfs/inode.c @@ -482,6 +482,8 @@ static int cramfs_readpage(struct file * pgdata = kmap(page); if (compr_len == 0) ; /* hole */ + else if (compr_len > (PAGE_CACHE_SIZE << 1)) + printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len); else { mutex_lock(&read_mutex); bytes_filled = cramfs_uncompress_block(pgdata,