From: "Jörn Engel" <joern@logfs.org>
To: Phillip Lougher <phillip@lougher.demon.co.uk>
Cc: Eric Sesterhenn <snakebyte@gmx.de>,
linux-fsdevel@vger.kernel.org, jacmet@sunsite.dk,
trini@kernel.crashing.org, rpurdie@rpsys.net
Subject: Re: [Patch] NULL pointer deref with corrupted squashfs image
Date: Thu, 22 Jan 2009 10:46:40 +0100 [thread overview]
Message-ID: <20090122094640.GA3671@logfs.org> (raw)
In-Reply-To: <4977DE8B.7070102@lougher.demon.co.uk>
On Thu, 22 January 2009 02:48:43 +0000, Phillip Lougher wrote:
>
> My guess
> is either zlib_inflate is getting confused with corrupt data
Which is easy enough. As one would expect of a decent compressor, there
is little redundancy in the zlib stream that can be used for error
checking. The 2-byte header has some, literal blocks have the length
field twice and compressed blocks contain a couple of illegal symbols.
The best way to protect oneself against accidental errors is checksums.
And the zlib decision to checksum the _un_compressed data clearly
doesn't help in this case, as the experienced problem occurs before the
check. Also explains the "small .gz expands to gigabytes of data"
attack, btw.
Given a malicious attacker with enough time and resources, checksums
obviously don't help. They will simply match the corrupt data.
Jörn
--
Joern's library part 3:
http://inst.eecs.berkeley.edu/~cs152/fa05/handouts/clark-test.pdf
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2009-01-22 9:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-13 12:40 Bug with corrupted squashfs image Eric Sesterhenn
2009-01-16 17:45 ` [Patch] NULL pointer deref " Eric Sesterhenn
2009-01-16 19:07 ` Jörn Engel
2009-01-16 23:07 ` Tom Rini
2009-01-17 13:49 ` Jörn Engel
2009-01-17 19:38 ` Eric Sesterhenn
2009-01-20 16:47 ` Eric Sesterhenn
2009-01-20 16:47 ` Eric Sesterhenn
2009-01-20 17:57 ` Jörn Engel
2009-01-20 17:57 ` Jörn Engel
2009-01-20 18:47 ` Tom Rini
2009-01-20 18:47 ` Tom Rini
2009-01-21 8:34 ` Eric Sesterhenn
2009-01-21 8:34 ` Eric Sesterhenn
2009-01-21 12:31 ` Phillip Lougher
2009-01-21 12:31 ` Phillip Lougher
2009-01-22 2:48 ` Phillip Lougher
2009-01-22 9:46 ` Jörn Engel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090122094640.GA3671@logfs.org \
--to=joern@logfs.org \
--cc=jacmet@sunsite.dk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=phillip@lougher.demon.co.uk \
--cc=rpurdie@rpsys.net \
--cc=snakebyte@gmx.de \
--cc=trini@kernel.crashing.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.