Author: lcapitulino
Date: Thu Feb 15 17:01:56 2007
New Revision: 121433
Added:
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZD0_CVE-2006-5823_cramfs_zlib_inflate.patch
Modified:
packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec
Log:
Fix for CVE-2006-5823
Added:
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZD0_CVE-2006-5823_cramfs_zlib_inflate.patch
==============================================================================
--- (empty file)
+++
packages/updates/2006.0/kernel-2.6/current/PATCHES/patches/ZZD0_CVE-2006-5823_cramfs_zlib_inflate.patch
Thu Feb 15 17:01:56 2007
@@ -0,0 +1,38 @@
+commit 8bb0269160df2a60764013994d0bc5165406cf4a
+Author: Phillip Lougher <[EMAIL PROTECTED]>
+Date: Wed Dec 6 20:37:20 2006 -0800
+
+ [PATCH] corrupted cramfs filesystems cause kernel oops
+
+ Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
+ fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
+ Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
+ is an unchecked corrupted block length field read by cramfs_readpage().
+
+ This patch adds a sanity check to cramfs_readpage() which checks that the
+ block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
+ intentional, even though the uncompressed data is not going to be larger
+ than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
+ the original source data. Mkcramfs checks that the compressed size is
+ always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
+ use the original uncompressed data in this case, but it doesn't.
+
+ Signed-off-by: Phillip Lougher <[EMAIL PROTECTED]>
+ Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+ Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+
+---
+ fs/cramfs/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.12.orig/fs/cramfs/inode.c
++++ linux-2.6.12/fs/cramfs/inode.c
+@@ -449,6 +449,8 @@ static int cramfs_readpage(struct file *
+ pgdata = kmap(page);
+ if (compr_len == 0)
+ ; /* hole */
++ else if (compr_len > (PAGE_CACHE_SIZE << 1))
++ printk(KERN_ERR "cramfs: bad compressed blocksize
%u\n", compr_len);
+ else {
+ down(&read_mutex);
+ bytes_filled = cramfs_uncompress_block(pgdata,
Modified: packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec
==============================================================================
--- packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec
(original)
+++ packages/updates/2006.0/kernel-2.6/current/SPECS/kernel-2.6.spec Thu Feb
15 17:01:56 2007
@@ -1374,6 +1374,7 @@
* ZZCD_CVE-2006-6053_ext3_handle_dir_corruption.patch (#28303)
* ZZCE_CVE-2006-4814_mincore_fix_user_access_locking.patch (#28373)
* ZZCF_CVE-2007-0006_key_serial_number_collision_fix.patch (#28636)
+ * ZZD0_CVE-2006-5823_cramfs_zlib_inflate.patch (#28688)
* Thu Jan 18 2007 Samir Bellabes <[EMAIL PROTECTED]> 2.6.12-30mdk
o Samir Bellabes <[EMAIL PROTECTED]>
