[PATCH] PATCH: Fix outstanding gzip/zlib security issues

commit	243393c90f2b7cb781fd794e22786e9c8547901a
Add fakey 'deflateBound()' function to the in-kernel zlib routines

It's not the real deflateBound() in newer zlib libraries, partly because
the upcoming usage of it won't have the "stream" available, so we can't
have the same interfaces anyway.

commit	fab5a60a29f98f17256a4183e34a414f6db67569
This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.

Problem noted by Tim Yamin <plasmaroo@gentoo.org>
author	Linus Torvalds <torvalds@g5.osdl.org>

diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c
index 0224541..a441ad0 100644 (file)
--- a/fs/isofs/compress.c
+++ b/fs/isofs/compress.c
@@ -147,8 +147,14 @@ static int zisofs_readpage(struct file *file, struct page *page)
        cend = le32_to_cpu(*(u32 *)(bh->b_data + (blockendptr & bufmask)));
        brelse(bh);
 
+       if (cstart > cend)
+               goto eio;
+
        csize = cend-cstart;
 
+       if (csize > deflateBound(1UL << zisofs_block_shift))
+               goto eio;
+
        /* Now page[] contains an array of pages, any of which can be NULL,
           and the locks on which we hold.  We should now read the data and
           release the pages.  If the pages are NULL the decompressed data

diff --git a/include/linux/zlib.h b/include/linux/zlib.h
index 4582d53..a57b07d 100644 (file)
--- a/include/linux/zlib.h
+++ b/include/linux/zlib.h
@@ -516,6 +516,11 @@ ZEXTERN int ZEXPORT zlib_deflateReset OF((z_streamp strm));
    stream state was inconsistent (such as zalloc or state being NULL).
 */
 
+static inline unsigned long deflateBound(unsigned long s)
+{
+       return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
+}
+
 ZEXTERN int ZEXPORT zlib_deflateParams OF((z_streamp strm,
                                              int level,
                                              int strategy));