| commit | c41ec8f4ae37ae4c7c56304ed1b685911fa46667 | |
| author | Phillip Lougher <phillip@lougher.demon.co.uk> | |
| Fri, 23 Apr 2010 17:18:11 +0000 (23 13:18 -0400) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Wed, 12 May 2010 22:02:50 +0000 (12 15:02 -0700) | ||
| tree | 4f78c67d7165399e8d6ba3e5fba9c7c9e067b8ca | treesnapshot (tar.gz zip) |
| parent | c52f6ef733796f6e9e115fd269087f095a1fc670 | commitdiff |
initramfs: handle unrecognised decompressor when unpacking
commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream.
The unpack routine fails to handle the decompress_method() returning
unrecognised decompressor (compress_name == NULL). This results in the
routine looping eventually oopsing on an out of bounds memory access.
Note this bug is usually hidden, only triggering on trailing junk after
one or more correct compressed blocks. The case of the compressed archive
being complete junk is (by accident?) caught by the if (state != Reset)
check because state is initialised to Start, but not updated due to the
decompressor not having been called. Obviously if the junk is trailing a
correctly decompressed buffer, state == Reset from the previous call to
the decompressor.
Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream.
The unpack routine fails to handle the decompress_method() returning
unrecognised decompressor (compress_name == NULL). This results in the
routine looping eventually oopsing on an out of bounds memory access.
Note this bug is usually hidden, only triggering on trailing junk after
one or more correct compressed blocks. The case of the compressed archive
being complete junk is (by accident?) caught by the if (state != Reset)
check because state is initialised to Start, but not updated due to the
decompressor not having been called. Obviously if the junk is trailing a
correctly decompressed buffer, state == Reset from the previous call to
the decompressor.
Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| init/initramfs.c | diffblobblamehistory |