The patch titled Decompressors: check for read errors in decompress_unlzma.c has been added to the -mm tree. Its filename is decompressors-check-for-read-errors-in-decompress_unlzmac.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: Decompressors: check for read errors in decompress_unlzma.c From: Lasse Collin <lasse.collin@xxxxxxxxxxx> Return value of rc->fill() is checked in rc_read() and error() is called when needed, but then the code continues as if nothing had happened. rc_read() is a void function and it's on the top of performance critical call stacks, so propagating the error code via return values doesn't sound like the best fix. It seems better to check rc->buffer_size (which holds the return value of rc->fill()) in the main loop. It does nothing bad that the code runs a little with unknown data after a failed rc->fill(). This fixes an infinite loop in initramfs decompression if the LZMA-compressed initramfs image is corrupt. Signed-off-by: Lasse Collin <lasse.collin@xxxxxxxxxxx> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> Cc: Alain Knaff <alain@xxxxxxxx> Cc: Albin Tonnerre <albin.tonnerre@xxxxxxxxxxxxxxxxxx> Cc: Phillip Lougher <phillip@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- lib/decompress_unlzma.c | 3 +++ lib/decompress_unlzma.c.orig | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff -puN lib/decompress_unlzma.c~decompressors-check-for-read-errors-in-decompress_unlzmac lib/decompress_unlzma.c --- a/lib/decompress_unlzma.c~decompressors-check-for-read-errors-in-decompress_unlzmac +++ a/lib/decompress_unlzma.c @@ -631,6 +631,8 @@ STATIC inline int INIT unlzma(unsigned c if (cst.rep0 == 0) break; } + if (rc.buffer_size <= 0) + goto exit_3; } if (posp) @@ -638,6 +640,7 @@ STATIC inline int INIT unlzma(unsigned c if (wr.flush) wr.flush(wr.buffer, wr.buffer_pos); ret = 0; +exit_3: large_free(p); exit_2: if (!output) diff -puN lib/decompress_unlzma.c.orig~decompressors-check-for-read-errors-in-decompress_unlzmac lib/decompress_unlzma.c.orig --- a/lib/decompress_unlzma.c.orig~decompressors-check-for-read-errors-in-decompress_unlzmac +++ a/lib/decompress_unlzma.c.orig @@ -574,8 +574,10 @@ STATIC inline int INIT unlzma(unsigned c ((unsigned char *)&header)[i] = *rc.ptr++; } - if (header.pos >= (9 * 5 * 5)) + if (header.pos >= (9 * 5 * 5)) { error("bad header"); + goto exit_1; + } mi = 0; lc = header.pos; _ Patches currently in -mm which might be from lasse.collin@xxxxxxxxxxx are decompressors-add-missing-init-ie-__init.patch decompressors-get-rid-of-set_error_fn-macro.patch decompressors-include-linux-slabh-in-linux-decompress-mmh.patch decompressors-remove-unused-function-from-lib-decompress_unlzmac.patch decompressors-fix-header-validation-in-decompress_unlzmac.patch decompressors-check-for-read-errors-in-decompress_unlzmac.patch decompressors-check-for-write-errors-in-decompress_unlzmac.patch decompressors-validate-match-distance-in-decompress_unlzmac.patch decompressors-check-for-write-errors-in-decompress_unlzoc.patch decompressors-check-input-size-in-decompress_unlzoc.patch decompressors-fix-callback-to-callback-mode-in-decompress_unlzoc.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html