From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?utf-8?B?SsO2cm4=?= Engel <joern@logfs.org>
Subject: Re: [Patch] NULL pointer deref with corrupted squashfs image
Date: Thu, 22 Jan 2009 10:46:40 +0100
Message-ID: <20090122094640.GA3671@logfs.org>
References: <20090113124027.GB16333@alice> <20090116174525.GA31869@alice> <4977DE8B.7070102@lougher.demon.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: Eric Sesterhenn <snakebyte@gmx.de>, linux-fsdevel@vger.kernel.org,
	jacmet@sunsite.dk, trini@kernel.crashing.org, rpurdie@rpsys.net
To: Phillip Lougher <phillip@lougher.demon.co.uk>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from lazybastard.de ([212.112.238.170]:57424 "EHLO
	longford.logfs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753015AbZAVJqy (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 22 Jan 2009 04:46:54 -0500
Content-Disposition: inline
In-Reply-To: <4977DE8B.7070102@lougher.demon.co.uk>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Thu, 22 January 2009 02:48:43 +0000, Phillip Lougher wrote:
>=20
> My guess
> is either zlib_inflate is getting confused with corrupt data

Which is easy enough.  As one would expect of a decent compressor, ther=
e
is little redundancy in the zlib stream that can be used for error
checking.  The 2-byte header has some, literal blocks have the length
field twice and compressed blocks contain a couple of illegal symbols.

The best way to protect oneself against accidental errors is checksums.
And the zlib decision to checksum the _un_compressed data clearly
doesn't help in this case, as the experienced problem occurs before the
check.  Also explains the "small .gz expands to gigabytes of data"
attack, btw.

Given a malicious attacker with enough time and resources, checksums
obviously don't help.  They will simply match the corrupt data.

J=C3=B6rn

--=20
Joern's library part 3:
http://inst.eecs.berkeley.edu/~cs152/fa05/handouts/clark-test.pdf
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel=
" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html