From: Andrew Morton <akpm@linux-foundation.org>
To: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: linux-kernel@vger.kernel.org, hsweeten@visionengravers.com,
hpa@zytor.com, eric.piel@tremplin-utc.net,
stable <stable@kernel.org>
Subject: Re: [PATCH] initramfs: prevent buffer overflow when unpacking to rootfs
Date: Fri, 2 Apr 2010 14:57:02 -0700 [thread overview]
Message-ID: <20100402145702.fb9ccfdc.akpm@linux-foundation.org> (raw)
In-Reply-To: <1270115146-25342-1-git-send-email-aaro.koskinen@iki.fi>
On Thu, 1 Apr 2010 12:45:46 +0300
Aaro Koskinen <aaro.koskinen@iki.fi> wrote:
> Garbage in the initrd memory area may result in the unpack routine
> accessing memory outside the buffer. The patch adds a check that the
> specified area size is not exceeded.
>
> Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
> Cc: stable <stable@kernel.org>
> ---
>
> The patch prevents the following kernel panic on Amstrad E3:
>
> Unpacking initramfs...
> Unable to handle kernel paging request at virtual address c20121a7
>
> ...
>
> --- a/init/initramfs.c
> +++ b/init/initramfs.c
> @@ -460,6 +460,8 @@ static char * __init unpack_to_rootfs(char *buf, unsigned len)
> }
> if (state != Reset)
> error("junk in compressed archive");
> + if (my_inptr >= len)
> + break;
> this_header = saved_offset + my_inptr;
> buf += my_inptr;
> len -= my_inptr;
OK, so if I'm understanding this right, the call to
decompress(buf, len, NULL, flush_buffer, NULL, &my_inptr, error);
has gone and generated more output data than it was asked to generate?
If so, isn't that a bug in the decompressor? Which one is your system using?
[ wonders why my_inptr is static, and why the sixth arg to decompress_fn
takes an int* while callers are passing in an unsigned* ]
next prev parent reply other threads:[~2010-04-02 21:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-01 9:45 [PATCH] initramfs: prevent buffer overflow when unpacking to rootfs Aaro Koskinen
2010-04-02 21:57 ` Andrew Morton [this message]
2010-04-03 20:41 ` Aaro Koskinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100402145702.fb9ccfdc.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=aaro.koskinen@iki.fi \
--cc=eric.piel@tremplin-utc.net \
--cc=hpa@zytor.com \
--cc=hsweeten@visionengravers.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox