aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhillip Lougher <phillip@lougher.demon.co.uk>2010-04-23 13:18:11 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2010-04-24 14:31:26 -0400
commitdf37bd156dcb4f5441beaf5bde444adac974e9a0 (patch)
tree46828c4ed92f4bbd009392a5bad659555872b276
parent22eccdd7d2d94be48ae9b01fef5f52ccbb81dcd5 (diff)
initramfs: handle unrecognised decompressor when unpacking
The unpack routine fails to handle the decompress_method() returning unrecognised decompressor (compress_name == NULL). This results in the routine looping eventually oopsing on an out of bounds memory access. Note this bug is usually hidden, only triggering on trailing junk after one or more correct compressed blocks. The case of the compressed archive being complete junk is (by accident?) caught by the if (state != Reset) check because state is initialised to Start, but not updated due to the decompressor not having been called. Obviously if the junk is trailing a correctly decompressed buffer, state == Reset from the previous call to the decompressor. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--init/initramfs.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/init/initramfs.c b/init/initramfs.c
index 37d3859b1b32..4b9c20205092 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -457,7 +457,8 @@ static char * __init unpack_to_rootfs(char *buf, unsigned len)
457 compress_name); 457 compress_name);
458 message = msg_buf; 458 message = msg_buf;
459 } 459 }
460 } 460 } else
461 error("junk in compressed archive");
461 if (state != Reset) 462 if (state != Reset)
462 error("junk in compressed archive"); 463 error("junk in compressed archive");
463 this_header = saved_offset + my_inptr; 464 this_header = saved_offset + my_inptr;