| From df37bd156dcb4f5441beaf5bde444adac974e9a0 Mon Sep 17 00:00:00 2001 |
| From: Phillip Lougher <phillip@lougher.demon.co.uk> |
| Date: Fri, 23 Apr 2010 13:18:11 -0400 |
| Subject: initramfs: handle unrecognised decompressor when unpacking |
| |
| From: Phillip Lougher <phillip@lougher.demon.co.uk> |
| |
| commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream. |
| |
| The unpack routine fails to handle the decompress_method() returning |
| unrecognised decompressor (compress_name == NULL). This results in the |
| routine looping eventually oopsing on an out of bounds memory access. |
| |
| Note this bug is usually hidden, only triggering on trailing junk after |
| one or more correct compressed blocks. The case of the compressed archive |
| being complete junk is (by accident?) caught by the if (state != Reset) |
| check because state is initialised to Start, but not updated due to the |
| decompressor not having been called. Obviously if the junk is trailing a |
| correctly decompressed buffer, state == Reset from the previous call to |
| the decompressor. |
| |
| Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> |
| Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| init/initramfs.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/init/initramfs.c |
| +++ b/init/initramfs.c |
| @@ -457,7 +457,8 @@ static char * __init unpack_to_rootfs(ch |
| compress_name); |
| message = msg_buf; |
| } |
| - } |
| + } else |
| + error("junk in compressed archive"); |
| if (state != Reset) |
| error("junk in compressed archive"); |
| this_header = saved_offset + my_inptr; |