Re: [PATCH] fsck.cramfs: Fix bus error on broken file system.

[Tobias Stoeckmann <tobias@stoeckmann.org>]

The utility fsck.cramfs is prone to a bus error on file systems for
big endian systems with non-standard header sizes. While calculating
the crc32 checksum, it does not properly handle a possible offset
for bootcodes, resulting in out of boundary access of mmap'ed area.

You can trigger the issue with the following commands:

$ mkdir -p cramfs-poc/root/subdir
$ cd cramfs-poc
$ mkfs.cramfs -p -N big root cramfs
$ echo -ne \\00\\x4c | dd of=cramfs bs=1 seek=518 count=2 conv=notrunc
$ fsck.cramfs cramfs

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
This is the second and much cleaner version of the initial patch.
We can easily use the offset of mmap, which heavily reduces the
manual buf + start calculation.
---
 disk-utils/fsck.cramfs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/disk-utils/fsck.cramfs.c b/disk-utils/fsck.cramfs.c
index 50c7d33b9..cafa659af 100644
--- a/disk-utils/fsck.cramfs.c
+++ b/disk-utils/fsck.cramfs.c
@@ -220,7 +220,7 @@ static void test_crc(int start)
 	crc = crc32(0L, NULL, 0);
 
 	buf =
-	    mmap(NULL, super.size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	    mmap(NULL, super.size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, start);
 	if (buf == MAP_FAILED) {
 		buf =
 		    mmap(NULL, super.size, PROT_READ | PROT_WRITE,
@@ -233,9 +233,8 @@ static void test_crc(int start)
 		}
 	}
 	if (buf != MAP_FAILED) {
-		((struct cramfs_super *)((unsigned char *) buf + start))->fsid.crc =
-		    crc32(0L, NULL, 0);
-		crc = crc32(crc, (unsigned char *) buf + start, super.size - start);
+		((struct cramfs_super *) buf)->fsid.crc = crc32(0L, NULL, 0);
+		crc = crc32(crc, buf, super.size);
 		munmap(buf, super.size);
 	} else {
 		int retval;
-- 
2.14.3