The utility fsck.cramfs is prone to a bus error on file systems for
big endian systems with non-standard header sizes. While calculating
the crc32 checksum, it does not properly handle a possible offset
for bootcodes, resulting in out of boundary access of mmap'ed area.
You can trigger the issue with the following commands:
$ mkdir -p cramfs-poc/root/subdir
$ cd cramfs-poc
$ mkfs.cramfs -p -N big root cramfs
$ echo -ne \\00\\x4c | dd of=cramfs bs=1 seek=518 count=2 conv=notrunc
$ fsck.cramfs cramfs
Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
---
This is the second and much cleaner version of the initial patch.
We can easily use the offset of mmap, which heavily reduces the
manual buf + start calculation.
---
disk-utils/fsck.cramfs.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/disk-utils/fsck.cramfs.c b/disk-utils/fsck.cramfs.c
index 50c7d33b9..cafa659af 100644
--- a/disk-utils/fsck.cramfs.c
+++ b/disk-utils/fsck.cramfs.c
@@ -220,7 +220,7 @@ static void test_crc(int start)
crc = crc32(0L, NULL, 0);
buf =
- mmap(NULL, super.size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+ mmap(NULL, super.size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, start);
if (buf == MAP_FAILED) {
buf =
mmap(NULL, super.size, PROT_READ | PROT_WRITE,
@@ -233,9 +233,8 @@ static void test_crc(int start)
}
}
if (buf != MAP_FAILED) {
- ((struct cramfs_super *)((unsigned char *) buf + start))->fsid.crc =
- crc32(0L, NULL, 0);
- crc = crc32(crc, (unsigned char *) buf + start, super.size - start);
+ ((struct cramfs_super *) buf)->fsid.crc = crc32(0L, NULL, 0);
+ crc = crc32(crc, buf, super.size);
munmap(buf, super.size);
} else {
int retval;
--
2.14.3
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
