[patch 5/8] Check input buffer size in zisofs

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Chris Wright <chrisw@osdl.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
	Tim Yamin <plasmaroo@gentoo.org>
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	"Randy.Dunlap" <rdunlap@xenotime.net>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
	"H. Peter Anvin" <hpa@zytor.com>, Chris Wright <chrisw@osdl.org>
Subject: [patch 5/8] Check input buffer size in zisofs
Date: Thu, 11 Aug 2005 15:54:50 -0700	[thread overview]
Message-ID: <20050811225633.103369000@localhost.localdomain> (raw)
In-Reply-To: 20050811225445.404816000@localhost.localdomain

[-- Attachment #1: zisofs.patch --]
[-- Type: text/plain, Size: 1928 bytes --]

-stable review patch.  If anyone has any  objections, please let us know.
------------------


It's not the real deflateBound() in newer zlib libraries, partly because
the upcoming usage of it won't have the "stream" available, so we can't
have the same interfaces anyway.

This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.

Problem noted by Tim Yamin <plasmaroo@gentoo.org>

Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 fs/isofs/compress.c  |    6 ++++++
 include/linux/zlib.h |    5 +++++
 2 files changed, 11 insertions(+)

Index: linux-2.6.12.y/include/linux/zlib.h
===================================================================
--- linux-2.6.12.y.orig/include/linux/zlib.h
+++ linux-2.6.12.y/include/linux/zlib.h
@@ -506,6 +506,11 @@ extern int zlib_deflateReset (z_streamp 
    stream state was inconsistent (such as zalloc or state being NULL).
 */
 
+static inline unsigned long deflateBound(unsigned long s)
+{
+	return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
+}
+
 extern int zlib_deflateParams (z_streamp strm, int level, int strategy);
 /*
      Dynamically update the compression level and compression strategy.  The
Index: linux-2.6.12.y/fs/isofs/compress.c
===================================================================
--- linux-2.6.12.y.orig/fs/isofs/compress.c
+++ linux-2.6.12.y/fs/isofs/compress.c
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *
 	cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
 	brelse(bh);
 
+	if (cstart > cend)
+		goto eio;
+		
 	csize = cend-cstart;
 
+	if (csize > deflateBound(1UL << zisofs_block_shift))
+		goto eio;
+
 	/* Now page[] contains an array of pages, any of which can be NULL,
 	   and the locks on which we hold.  We should now read the data and
 	   release the pages.  If the pages are NULL the decompressed data

--

next prev parent reply	other threads:[~2005-08-11 22:58 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-11 22:54 [patch 0/8] -stable review Chris Wright
2005-08-11 22:54 ` [patch 1/8] [PATCH] sys_set_mempolicy() doesnt check if mode < 0 Chris Wright
2005-08-11 22:54 ` [patch 2/8] [PATCH] Fix SRAT for non dual core AMD systems Chris Wright
2005-08-11 22:54 ` [patch 3/8] [PATCH] x86_64: Fixing smpboot timing problem Chris Wright
2005-08-11 23:33   ` Andi Kleen
2005-08-11 23:43     ` Chris Wright
2005-08-12  2:32       ` Eric W. Biederman
2005-08-12  4:26     ` [PATCH] x86_64: Fix apicid versus cpu# confusion Eric W. Biederman
2005-08-12  5:51       ` yhlu
2005-08-11 22:54 ` [patch 4/8] [PATCH] Update in-kernel zlib routines Chris Wright
2005-08-12  0:01   ` Peter Osterlund
2005-08-12  0:11     ` Chris Wright
2005-08-11 22:54 ` Chris Wright [this message]
2005-08-12  1:12   ` [patch 5/8] Check input buffer size in zisofs H. Peter Anvin
2005-08-12  1:16     ` Chris Wright
2005-08-11 22:54 ` [patch 6/8] CAN-2005-2098 Error during attempt to join key management session can leave semaphore pinned Chris Wright
2005-08-11 22:54 ` [patch 7/8] CAN-2005-2099 Destruction of failed keyring oopses Chris Wright
2005-08-11 22:54 ` [patch 8/8] [PATCH] Module per-cpu alignment cannot always be met Chris Wright
2005-08-22  6:58   ` Denis Vlasenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050811225633.103369000@localhost.localdomain \
    --to=chrisw@osdl.org \
    --cc=akpm@osdl.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=chuckw@quantumlinux.com \
    --cc=hpa@zytor.com \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=plasmaroo@gentoo.org \
    --cc=rdunlap@xenotime.net \
    --cc=stable@kernel.org \
    --cc=torvalds@osdl.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox