Kernel Fun

The squashfs module of the Linux kernel (2.6.x) fails to properly handle corrupted fs structures, leading to a denial of service and possible data corruption condition. A specially crafted squashfs image will cause the kernel to double free a buffer when a read operation is performed on the corrupted filesystem.

• http://projects.info-pull.com/mokb/MOKB-02-11-2006.html
• Proof of concept: http://projects.info-pull.com/mokb/bug-files/MOKB-02-11-2006.img.gz