From: "Jörn Engel" <joern@logfs.org>
To: Eric Sesterhenn <snakebyte@gmx.de>
Cc: phillip@lougher.demon.co.uk, linux-fsdevel@vger.kernel.org,
jacmet@sunsite.dk, trini@kernel.crashing.org, rpurdie@rpsys.net
Subject: Re: [Patch] NULL pointer deref with corrupted squashfs image
Date: Fri, 16 Jan 2009 20:07:32 +0100 [thread overview]
Message-ID: <20090116190725.GA19453@logfs.org> (raw)
In-Reply-To: <20090116174525.GA31869@alice>
On Fri, 16 January 2009 18:45:25 +0100, Eric Sesterhenn wrote:
>
> Non-PPC targets shouldnt inflate images to memory address 0.
> check strm->next_out for NULL in case on non PPC architecture
> to prevent a NULL-pointer dereference while inflating corrupted images.
>
> Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
>
> --- linux/lib/zlib_inflate/inflate.c.orig 2009-01-16 15:40:04.000000000 +0100
> +++ linux/lib/zlib_inflate/inflate.c 2009-01-16 15:41:42.000000000 +0100
> @@ -347,8 +347,12 @@ int zlib_inflate(z_streamp strm, int flu
> static const unsigned short order[19] = /* permutation of code lengths */
> {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
>
> - /* Do not check for strm->next_out == NULL here as ppc zImage
> - inflates to strm->next_out = 0 */
> + /* Since ppc zImage inflates to 0 we only check
> + strm->next_out for non-ppc targets0 */
> +#ifndef CONFIG_PPC
> + if (!strm->next_out)
> + return Z_STREAM_ERROR;
> +#endif
>
> if (strm == NULL || strm->state == NULL ||
> (strm->next_in == NULL && strm->avail_in != 0))
Unzipping to NULL is not an attribute of PPC, but rather of being called
from a bootloader that wants to unpack a kernel to NULL. Which makes
this patch wrong on two accounts. It leaves the bug for CONFIG_PPC and
it may break bootloaders on other architectures. A quick grep shows
xtensa - no clue whether it loads the kernel to NULL or elsewhere.
I'd prefer zlib_inflate to take a flag parameter to disable the check.
Then we can have two wrappers roughly like this:
int zlib_inflate(z_streamp strm, int flush)
{
return __zlib_inflate(strm, flush, 1);
}
int zlib_inflate_null_ok_for_bootloaders_only(z_streamp strm, int flush)
{
return __zlib_inflate(strm, flush, 0);
}
Or we could even make the two wrappers inline functions and move them to
zlib.h.
Jörn
--
He that composes himself is wiser than he that composes a book.
-- B. Franklin
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2009-01-16 19:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-13 12:40 Bug with corrupted squashfs image Eric Sesterhenn
2009-01-16 17:45 ` [Patch] NULL pointer deref " Eric Sesterhenn
2009-01-16 19:07 ` Jörn Engel [this message]
2009-01-16 23:07 ` Tom Rini
2009-01-17 13:49 ` Jörn Engel
2009-01-17 19:38 ` Eric Sesterhenn
2009-01-20 16:47 ` Eric Sesterhenn
2009-01-20 16:47 ` Eric Sesterhenn
2009-01-20 17:57 ` Jörn Engel
2009-01-20 17:57 ` Jörn Engel
2009-01-20 18:47 ` Tom Rini
2009-01-20 18:47 ` Tom Rini
2009-01-21 8:34 ` Eric Sesterhenn
2009-01-21 8:34 ` Eric Sesterhenn
2009-01-21 12:31 ` Phillip Lougher
2009-01-21 12:31 ` Phillip Lougher
2009-01-22 2:48 ` Phillip Lougher
2009-01-22 9:46 ` Jörn Engel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090116190725.GA19453@logfs.org \
--to=joern@logfs.org \
--cc=jacmet@sunsite.dk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=phillip@lougher.demon.co.uk \
--cc=rpurdie@rpsys.net \
--cc=snakebyte@gmx.de \
--cc=trini@kernel.crashing.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.