From: Phillip Lougher Date: Fri, 23 Apr 2010 17:18:11 +0000 (-0400) Subject: initramfs: handle unrecognised decompressor when unpacking X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=df37bd156dcb4f5441beaf5bde444adac974e9a0;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git initramfs: handle unrecognised decompressor when unpacking The unpack routine fails to handle the decompress_method() returning unrecognised decompressor (compress_name == NULL). This results in the routine looping eventually oopsing on an out of bounds memory access. Note this bug is usually hidden, only triggering on trailing junk after one or more correct compressed blocks. The case of the compressed archive being complete junk is (by accident?) caught by the if (state != Reset) check because state is initialised to Start, but not updated due to the decompressor not having been called. Obviously if the junk is trailing a correctly decompressed buffer, state == Reset from the previous call to the decompressor. Signed-off-by: Phillip Lougher Reported-by: Aaro Koskinen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/init/initramfs.c b/init/initramfs.c index 37d3859b1b32..4b9c20205092 100644 --- a/init/initramfs.c +++ b/init/initramfs.c @@ -457,7 +457,8 @@ static char * __init unpack_to_rootfs(char *buf, unsigned len) compress_name); message = msg_buf; } - } + } else + error("junk in compressed archive"); if (state != Reset) error("junk in compressed archive"); this_header = saved_offset + my_inptr;