Package: squashfs-tools Version: 1:2.2r2-2ubuntu2 Severity: critical Tags: patch
Justification: causes the kernel to PANIC on an attempt to read from the generated filesystem (unrelated package to break); and vital indexes are lost so data in the generated filesystem cannot be retrieved (data loss) Attached is a patch to correct a rounding error in the generation of the fragment table indexes of generated squashfs filesystems. If the number of fragments divides evenly into the size of each fragment table chunk then the code believes that there are 0 bytes available in the buffer rather then 8192 bytes. This results in code being unable to obtain the final part of the fragment index, making the files inaccessible and due to insufficient sanity checking in the kernel code, the kernel PANIC. I've also sent this patch upstream, who has verified that it is correct and there is indeed a bug here. Note that although the patch is against 2.2r2, the difference is small enough that it will apply successfully to 3.0 Scott -- Scott James Remnant [EMAIL PROTECTED]
diff -ruNp squashfs-2.2r2~/squashfs-tools/mksquashfs.c squashfs-2.2r2/squashfs-tools/mksquashfs.c --- squashfs-2.2r2~/squashfs-tools/mksquashfs.c 2006-05-26 03:13:44.000000000 +0100 +++ squashfs-2.2r2/squashfs-tools/mksquashfs.c 2006-05-26 03:25:33.000000000 +0100 @@ -942,7 +942,7 @@ unsigned int write_fragment_table() } for(i = 0; i < meta_blocks; i++) { - int avail_bytes = i == meta_blocks - 1 ? frag_bytes % SQUASHFS_METADATA_SIZE : SQUASHFS_METADATA_SIZE; + int avail_bytes = i == meta_blocks - 1 ? frag_bytes - SQUASHFS_METADATA_SIZE * i : SQUASHFS_METADATA_SIZE; c_byte = mangle(cbuffer + block_offset, buffer + i * SQUASHFS_METADATA_SIZE , avail_bytes, SQUASHFS_METADATA_SIZE, noF, 0); if(!swap) memcpy(cbuffer, &c_byte, sizeof(unsigned short));
signature.asc
Description: This is a digitally signed message part