zlib double-free bug

zlib double-free bug

Post by Paul Mackerra » Tue, 19 Mar 2002 20:10:10



Recently CERT published an advisory, warning about a bug in zlib where
a chunk of memory could get freed twice, depending on the data being
decompressed, which could potentially give a way to attack a system
using zlib.  The reference is

        http://www.cert.org/advisories/CA-2002-07.html

All 3 of the versions of zlib in the current 2.4 kernel have this bug.
The version in 2.5 doesn't because it handles memory allocation in a
different way.

The patch below fixes this bug in each of the three copies of zlib.c,
in the same way that it is fixed in the zlib-1.1.4 release (basically
by making sure that s->sub.trees.blens is always freed whenever, and
only when, s->mode is changed from BTREE or DTREE to some other value).

In the longer term I recommend that the 2.5.x changes to use a single
copy of zlib in lib/zlib_{deflate,inflate} should be back-ported to
2.4.  For now, this patch should be applied to 2.4.x since the bug is
a potential security hole if you are using PPP with Deflate
compression.

The patch also raises the minimum value of `windowBits' for
compression from 8 to 9, since using windowBits==8 causes memory
corruption (this was discovered by James Carlson, see
http://playground.sun.com/~carlsonj/ for details).  Current versions
of pppd avoid using windowBits==8 for this reason, but it is better to
have zlib protect itself as well.

Paul.

diff -urN linux-2.4.19-pre3/arch/ppc/boot/lib/zlib.c pmac/arch/ppc/boot/lib/zlib.c
--- linux-2.4.19-pre3/arch/ppc/boot/lib/zlib.c  Mon Mar 18 13:34:47 2002
+++ pmac/arch/ppc/boot/lib/zlib.c       Mon Mar 18 21:15:55 2002
@@ -928,7 +928,10 @@
       {
         r = t;
         if (r == Z_DATA_ERROR)
+       {
+          ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
           s->mode = BADB;
+       }
         LEAVE
       }
       s->sub.trees.index = 0;
@@ -964,6 +967,7 @@
           if (i + j > 258 + (t & 0x1f) + ((t >> 5) & 0x1f) ||
               (c == 16 && i < 1))
           {
+            ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
             s->mode = BADB;
             z->msg = "invalid bit length repeat";
             r = Z_DATA_ERROR;
@@ -991,7 +995,10 @@
         if (t != Z_OK)
         {
           if (t == (uInt)Z_DATA_ERROR)
+         {
+            ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
             s->mode = BADB;
+         }
           r = t;
           LEAVE
         }
@@ -1003,11 +1010,11 @@
           r = Z_MEM_ERROR;
           LEAVE
         }
-        ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
         s->sub.decode.codes = c;
         s->sub.decode.tl = tl;
         s->sub.decode.td = td;
       }
+      ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
       s->mode = CODES;
     case CODES:
       UPDATE
diff -urN linux-2.4.19-pre3/drivers/net/zlib.c pmac/drivers/net/zlib.c
--- linux-2.4.19-pre3/drivers/net/zlib.c        Sat Apr 28 23:02:45 2001
+++ pmac/drivers/net/zlib.c     Mon Mar 18 12:12:17 2002
@@ -14,7 +14,7 @@
  */

 /*
- *  ==FILEVERSION 971210==
+ *  ==FILEVERSION 20020318==
  *
  * This marker is used by the Linux installation script to determine
  * whether an up-to-date version of this file is already installed.
@@ -772,7 +772,7 @@
         windowBits = -windowBits;
     }
     if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
-        windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
+        windowBits < 9 || windowBits > 15 || level < 0 || level > 9 ||
        strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
         return Z_STREAM_ERROR;
     }
@@ -3860,10 +3860,12 @@
                              &s->sub.trees.tb, z);
       if (t != Z_OK)
       {
-        ZFREE(z, s->sub.trees.blens);
         r = t;
         if (r == Z_DATA_ERROR)
+       {
+         ZFREE(z, s->sub.trees.blens);
           s->mode = BADB;
+       }
         LEAVE
       }
       s->sub.trees.index = 0;
@@ -3928,11 +3930,13 @@
 #endif
         t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
                                   s->sub.trees.blens, &bl, &bd, &tl, &td, z);
-        ZFREE(z, s->sub.trees.blens);
         if (t != Z_OK)
         {
           if (t == (uInt)Z_DATA_ERROR)
+         {
+           ZFREE(z, s->sub.trees.blens);
             s->mode = BADB;
+         }
           r = t;
           LEAVE
         }
@@ -3949,6 +3953,7 @@
         s->sub.decode.tl = tl;
         s->sub.decode.td = td;
       }
+      ZFREE(z, s->sub.trees.blens);
       s->mode = CODES;
     case CODES:
       UPDATE
diff -urN linux-2.4.19-pre3/fs/jffs2/zlib.c pmac/fs/jffs2/zlib.c
--- linux-2.4.19-pre3/fs/jffs2/zlib.c   Mon Sep 24 09:31:33 2001
+++ pmac/fs/jffs2/zlib.c        Mon Mar 18 21:16:32 2002
@@ -14,7 +14,7 @@
  */

 /*
- *  ==FILEVERSION 971210==
+ *  ==FILEVERSION 20020318==
  *
  * This marker is used by the Linux installation script to determine
  * whether an up-to-date version of this file is already installed.
@@ -772,7 +772,7 @@
         windowBits = -windowBits;
     }
     if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
-        windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
+        windowBits < 9 || windowBits > 15 || level < 0 || level > 9 ||
        strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
         return Z_STREAM_ERROR;
     }
@@ -3860,10 +3860,12 @@
                              &s->sub.trees.tb, z);
       if (t != Z_OK)
       {
-        ZFREE(z, s->sub.trees.blens);
         r = t;
         if (r == Z_DATA_ERROR)
+       {
+         ZFREE(z, s->sub.trees.blens);
           s->mode = BADB;
+       }
         LEAVE
       }
       s->sub.trees.index = 0;
@@ -3928,11 +3930,13 @@
 #endif
         t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
                                   s->sub.trees.blens, &bl, &bd, &tl, &td, z);
-        ZFREE(z, s->sub.trees.blens);
         if (t != Z_OK)
         {
           if (t == (uInt)Z_DATA_ERROR)
+         {
+           ZFREE(z, s->sub.trees.blens);
             s->mode = BADB;
+         }
           r = t;
           LEAVE
         }
@@ -3949,6 +3953,7 @@
         s->sub.decode.tl = tl;
         s->sub.decode.td = td;
       }
+      ZFREE(z, s->sub.trees.blens);
       s->mode = CODES;
     case CODES:
       UPDATE
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by J.A. Magallo » Wed, 20 Mar 2002 00:00:13



Quote:>Recently CERT published an advisory, warning about a bug in zlib where
>a chunk of memory could get freed twice, depending on the data being
>decompressed, which could potentially give a way to attack a system
>using zlib.  The reference is

>    http://www.cert.org/advisories/CA-2002-07.html

>All 3 of the versions of zlib in the current 2.4 kernel have this bug.
>The version in 2.5 doesn't because it handles memory allocation in a
>different way.

>The patch below fixes this bug in each of the three copies of zlib.c,
>in the same way that it is fixed in the zlib-1.1.4 release (basically
>by making sure that s->sub.trees.blens is always freed whenever, and
>only when, s->mode is changed from BTREE or DTREE to some other value).

>In the longer term I recommend that the 2.5.x changes to use a single
>copy of zlib in lib/zlib_{deflate,inflate} should be back-ported to
>2.4.  For now, this patch should be applied to 2.4.x since the bug is
>a potential security hole if you are using PPP with Deflate
>compression.

Someone posted it was here:

ftp://ftp.kernel.org/pub/linux/kernel/people/dwmw2/shared-zlib/

The only rest it leaves in 19-pre3 are:

./arch/ppc/boot/lib/zlib.c
./arch/ppc/boot/include/zlib.h

Patch already does:

--- linux-2.4.19-pre2-ac2/arch/ppc/config.in    Sun Mar  3 18:54:31 2002

    source net/bluetooth/Config.in
 fi

+source lib/Config.in
+  
 mainmenu_option next_comment
 comment 'Kernel hacking'

So wouldn't it be better to kill ppc/.../zlib and make it use also the
shared copy ?

BTW, it is the ONLY file in arch/ppc/boot/lib, so whole dir could be killed
(at least in standard tree, do not know in ppc branch...)

--
J.A. Magallon                           #  Let the source be with you...        

Mandrake Linux release 8.2 (Bluebird) for i586
Linux werewolf 2.4.19-pre3-jam3 #1 SMP Fri Mar 15 01:16:08 CET 2002 i686
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by Tom Rin » Wed, 20 Mar 2002 00:20:11



> The only rest it leaves in 19-pre3 are:

> ./arch/ppc/boot/lib/zlib.c
> ./arch/ppc/boot/include/zlib.h

> Patch already does:

> --- linux-2.4.19-pre2-ac2/arch/ppc/config.in    Sun Mar  3 18:54:31 2002
> +++ linux-2.4.19-pre2-ac2-zlib/arch/ppc/config.in   Tue Mar  5 08:57:31 2002

>     source net/bluetooth/Config.in
>  fi

> +source lib/Config.in
> +  
>  mainmenu_option next_comment
>  comment 'Kernel hacking'

> So wouldn't it be better to kill ppc/.../zlib and make it use also the
> shared copy ?

Not really.  The arch/ppc/boot version (and arch/mips/boot'ish too, when
it gets merged) are slightly different from the in-kernel ones by ~1
line, so that they allow things to be decompressed to 0x0.  My plan for
2.5 is to get the PPC version using the lib/zlib_deflate stuff (by dummy
files doing #include too), maybe.  But either way it's a non-issue (if
you can't trust the 'zImage' binary, you've got bigger problems than
someone trying to expliot a bug before Linux is running).

--
Tom Rini (TR1265)
http://gate.crashing.org/~trini/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by David Woodhous » Wed, 20 Mar 2002 01:40:10



Quote:>  Someone posted it was here:
> ftp://ftp.kernel.org/pub/linux/kernel/people/dwmw2/shared-zlib/

Also bk://linux-mtd.bkbits.net/zlib-2.4 and in 2.4.19-ac.

After it's been in -ac for a while without mishap I'll ask Marcelo to
consider it - possibly for 2.4.20-pre1.

--
dwmw2

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by Paul Mackerra » Wed, 20 Mar 2002 07:50:10


Quote:David Woodhouse writes:
> After it's been in -ac for a while without mishap I'll ask Marcelo to
> consider it - possibly for 2.4.20-pre1.

Yep, that sounds good to me.  For now, I think my patch should go in
for 2.4.19.

Anyone who is using PPP with Deflate compression on an older 2.4.x
kernel (or for that matter a 2.2.x kernel) should apply my patch
also, or at least the part of it that affects drivers/net/zlib.c.

Paul.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by Paul Mackerra » Wed, 20 Mar 2002 14:30:06


Someone pointed me at a previously-posted patch for the zlib
vulnerability.  While I was looking at that patch I realized that both
that patch and mine were buggy in different ways.  My patch was
freeing s->sub.trees.blens after that word had been overwritten by an
assignment to s->sub.decode.codes, whereas with the previously-posted
patch, it is still possible to get a double-free (if inflate_codes_new
returns NULL, it will leave s->mode == DTREE but s->sub.trees.blens
has already been freed).

Here is a new patch which should fix both those problems.

Paul.

diff -urN linux-2.4.19-pre3/arch/ppc/boot/lib/zlib.c pmac/arch/ppc/boot/lib/zlib.c
--- linux-2.4.19-pre3/arch/ppc/boot/lib/zlib.c  Mon Mar 18 13:34:47 2002

 /*
- * BK Id: SCCS/s.zlib.c 1.10 01/11/02 10:46:07 trini
+ * BK Id: SCCS/s.zlib.c 1.9 12/05/01 16:19:42 mporter
  */
 /*

       {
         r = t;
         if (r == Z_DATA_ERROR)
+       {
+          ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
           s->mode = BADB;
+       }
         LEAVE
       }

           if (i + j > 258 + (t & 0x1f) + ((t >> 5) & 0x1f) ||
               (c == 16 && i < 1))
           {
+            ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
             s->mode = BADB;
             z->msg = "invalid bit length repeat";

         if (t != Z_OK)
         {
           if (t == (uInt)Z_DATA_ERROR)
+         {
+            ZFREE(z, s->sub.trees.blens, s->sub.trees.nblens * sizeof(uInt));
             s->mode = BADB;
+         }
           r = t;
           LEAVE
         }
diff -urN linux-2.4.19-pre3/drivers/net/zlib.c pmac/drivers/net/zlib.c
--- linux-2.4.19-pre3/drivers/net/zlib.c        Sat Apr 28 23:02:45 2001

  */

 /*
- *  ==FILEVERSION 971210==
+ *  ==FILEVERSION 20020318==
  *
  * This marker is used by the Linux installation script to determine

         windowBits = -windowBits;
     }
     if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
-        windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
+        windowBits < 9 || windowBits > 15 || level < 0 || level > 9 ||
        strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
         return Z_STREAM_ERROR;

                              &s->sub.trees.tb, z);
       if (t != Z_OK)
       {
-        ZFREE(z, s->sub.trees.blens);
         r = t;
         if (r == Z_DATA_ERROR)
+       {
+         ZFREE(z, s->sub.trees.blens);
           s->mode = BADB;
+       }
         LEAVE
       }

 #endif
         t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
                                   s->sub.trees.blens, &bl, &bd, &tl, &td, z);
-        ZFREE(z, s->sub.trees.blens);
         if (t != Z_OK)
         {
           if (t == (uInt)Z_DATA_ERROR)
+         {
+           ZFREE(z, s->sub.trees.blens);
             s->mode = BADB;
+         }
           r = t;
           LEAVE

           r = Z_MEM_ERROR;
           LEAVE
         }
+        ZFREE(z, s->sub.trees.blens);
         s->sub.decode.codes = c;
         s->sub.decode.tl = tl;
         s->sub.decode.td = td;
diff -urN linux-2.4.19-pre3/fs/jffs2/zlib.c pmac/fs/jffs2/zlib.c
--- linux-2.4.19-pre3/fs/jffs2/zlib.c   Mon Sep 24 09:31:33 2001

  */

 /*
- *  ==FILEVERSION 971210==
+ *  ==FILEVERSION 20020318==
  *
  * This marker is used by the Linux installation script to determine

         windowBits = -windowBits;
     }
     if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
-        windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
+        windowBits < 9 || windowBits > 15 || level < 0 || level > 9 ||
        strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
         return Z_STREAM_ERROR;

                              &s->sub.trees.tb, z);
       if (t != Z_OK)
       {
-        ZFREE(z, s->sub.trees.blens);
         r = t;
         if (r == Z_DATA_ERROR)
+       {
+         ZFREE(z, s->sub.trees.blens);
           s->mode = BADB;
+       }
         LEAVE
       }

 #endif
         t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
                                   s->sub.trees.blens, &bl, &bd, &tl, &td, z);
-        ZFREE(z, s->sub.trees.blens);
         if (t != Z_OK)
         {
           if (t == (uInt)Z_DATA_ERROR)
+         {
+           ZFREE(z, s->sub.trees.blens);
             s->mode = BADB;
+         }
           r = t;
           LEAVE

           r = Z_MEM_ERROR;
           LEAVE
         }
+        ZFREE(z, s->sub.trees.blens);
         s->sub.decode.codes = c;
         s->sub.decode.tl = tl;
         s->sub.decode.td = td;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by David Woodhous » Wed, 20 Mar 2002 19:50:10



> David Woodhouse writes:

> > After it's been in -ac for a while without mishap I'll ask Marcelo to
> > consider it - possibly for 2.4.20-pre1.

> Yep, that sounds good to me.  For now, I think my patch should go in
> for 2.4.19.

Absolutely - sorry, I didn't mean to imply otherwise.

For the record - it's not worth bothering with fs/jffs2/zlib.c; if they
can corrupt your file system on the medium, why bother with cracking zlib?
:)

--
dwmw2

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by David Woodhous » Wed, 20 Mar 2002 23:00:14



> For the record - it's not worth bothering with fs/jffs2/zlib.c; if they
> can corrupt your file system on the medium, why bother with cracking zlib?
> :)

To preempt anyone else objecting to this...

I mean, given that we have a CRC on jffs2 nodes anyway, so the chances of
any accidentally corrupted input actually being fed to the decompressor
are virtually zero, it's not worth patching the 2.4.19 zlib when I want to
put the shared zlib into 2.4.20 anyway.

I'm not going to object to anyone else doing so, but I can't be bothered
to do it myself, as it would have virtually zero benefit and would mean
I'd have to update the shared-zlib patches for 2.4.

Infinitely more people (i.e. at least one) have been bitten by the fact
that you can't build both ppp_deflate and jffs2 into a 2.4 kernel.

--
dwmw2

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by H. Peter Anvi » Thu, 21 Mar 2002 03:10:13




In newsgroup: linux.dev.kernel


> > David Woodhouse writes:

> > > After it's been in -ac for a while without mishap I'll ask Marcelo to
> > > consider it - possibly for 2.4.20-pre1.

> > Yep, that sounds good to me.  For now, I think my patch should go in
> > for 2.4.19.

> Absolutely - sorry, I didn't mean to imply otherwise.

> For the record - it's not worth bothering with fs/jffs2/zlib.c; if they
> can corrupt your file system on the medium, why bother with cracking zlib?
> :)

Removable media?

        -hpa
--

"Unix gives you enough rope to shoot yourself in the foot."

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by Dave Jone » Thu, 21 Mar 2002 04:20:10


 > > For the record - it's not worth bothering with fs/jffs2/zlib.c; if they
 > > can corrupt your file system on the medium, why bother with cracking zlib?
 > Removable media?

 If attacker has physical access to the media, there are far simpler
 ways of corrupting it than zlib exploitation. 8-)

--
| Dave Jones.        http://www.codemonkey.org.uk
| SuSE Labs
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by H. Peter Anvi » Thu, 21 Mar 2002 04:40:10



>  > > For the record - it's not worth bothering with fs/jffs2/zlib.c; if they
>  > > can corrupt your file system on the medium, why bother with cracking zlib?
>  > Removable media?

>  If attacker has physical access to the media, there are far simpler
>  ways of corrupting it than zlib exploitation. 8-)

Right, but you don't want someone to insert a removable medium and have
the system crash in response.

        -hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by Dave Jone » Thu, 21 Mar 2002 05:00:10


 > Right, but you don't want someone to insert a removable medium and have
 > the system crash in response.

 My understanding from one of dwmw2's earlier posts was that jffs2
 has crc's that would prevent this happening anyway (or at least make
 it nigh on impossible)
--
| Dave Jones.        http://www.codemonkey.org.uk
| SuSE Labs
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by H. Peter Anvi » Thu, 21 Mar 2002 05:10:04




>  > Right, but you don't want someone to insert a removable medium and have
>  > the system crash in response.

>  My understanding from one of dwmw2's earlier posts was that jffs2
>  has crc's that would prevent this happening anyway (or at least make
>  it nigh on impossible)

I doubt that.  We're talking about corrupting the kernel VM.

        -hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by Dave Jone » Thu, 21 Mar 2002 05:20:05


 > >  My understanding from one of dwmw2's earlier posts was that jffs2
 > >  has crc's that would prevent this happening anyway (or at least make
 > >  it nigh on impossible)
 > I doubt that.  We're talking about corrupting the kernel VM.

 Ignore me, I'm losing my mind.

--
| Dave Jones.        http://www.codemonkey.org.uk
| SuSE Labs
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

zlib double-free bug

Post by Nicolas Pitr » Thu, 21 Mar 2002 05:40:11





> In newsgroup: linux.dev.kernel

> > For the record - it's not worth bothering with fs/jffs2/zlib.c; if they
> > can corrupt your file system on the medium, why bother with cracking zlib?
> > :)

> Removable media?

Most if not all removable media are not ment to be used with JFFS2.

Nicolas

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

1. zlib double-free fix

Here is a small patch to fix the double-free in drivers/net/zlib.c

its against 2.4.19-pre3 but works fine in others versions

--
::: Lucio Maciel

::: Absoluta.Net :::
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. How to enable locking in query mode

3. Zlib double free "hole"

4. Sound support for AdLib Gold ?

5. SSRT2146 Java Zlib compression libraries bug

6. location of man / info explorer packages

7. zlib bug

8. using Trash with WindowMaker 0.12-0

9. zlib Bug Fix Broke Network Capability - Need Help

10. Potential free/use-after-free bugs

11. bsd "ifree: freeing free inode" panic/bug[?]

12. double free in ext2?

13. ext3/VFS double freeing warning