[067/117] initramfs: handle unrecognised decompressor when unpacking
in [Kernel]
|
Prev: [043/117] raid6: fix recovery performance regression
Next: [051/117] x86: Disable large pages on CPUs with Atom erratum AAE44
From: Greg KH on 10 May 2010 19:40 2.6.33-stable review patch. If anyone has any objections, please let us know. ------------------ From: Phillip Lougher <phillip(a)lougher.demon.co.uk> commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream. The unpack routine fails to handle the decompress_method() returning unrecognised decompressor (compress_name == NULL). This results in the routine looping eventually oopsing on an out of bounds memory access. Note this bug is usually hidden, only triggering on trailing junk after one or more correct compressed blocks. The case of the compressed archive being complete junk is (by accident?) caught by the if (state != Reset) check because state is initialised to Start, but not updated due to the decompressor not having been called. Obviously if the junk is trailing a correctly decompressed buffer, state == Reset from the previous call to the decompressor. Signed-off-by: Phillip Lougher <phillip(a)lougher.demon.co.uk> Reported-by: Aaro Koskinen <aaro.koskinen(a)iki.fi> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de> --- init/initramfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/init/initramfs.c +++ b/init/initramfs.c @@ -457,7 +457,8 @@ static char * __init unpack_to_rootfs(ch compress_name); message = msg_buf; } - } + } else + error("junk in compressed archive"); if (state != Reset) error("junk in compressed archive"); this_header = saved_offset + my_inptr; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |