5.4-stable patches

added patches:
	jffs2-fix-rtime-decompressor.patch
	jffs2-prevent-rtime-decompress-memory-corruption.patch

diff --git a/queue-5.4/jffs2-fix-rtime-decompressor.patch b/queue-5.4/jffs2-fix-rtime-decompressor.patch
new file mode 100644 (file)
index 0000000..f1410bc
--- /dev/null
+++ b/queue-5.4/jffs2-fix-rtime-decompressor.patch
@@ -0,0 +1,32 @@
+From b29bf7119d6bbfd04aabb8d82b060fe2a33ef890 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 3 Dec 2024 12:27:15 +0100
+Subject: jffs2: Fix rtime decompressor
+
+From: Richard Weinberger <richard@nod.at>
+
+commit b29bf7119d6bbfd04aabb8d82b060fe2a33ef890 upstream.
+
+The fix for a memory corruption contained a off-by-one error and
+caused the compressor to fail in legit cases.
+
+Cc: Kinsey Moore <kinsey.moore@oarcorp.com>
+Cc: stable@vger.kernel.org
+Fixes: fe051552f5078 ("jffs2: Prevent rtime decompress memory corruption")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jffs2/compr_rtime.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jffs2/compr_rtime.c
++++ b/fs/jffs2/compr_rtime.c
+@@ -95,7 +95,7 @@ static int jffs2_rtime_decompress(unsign
+ 
+               positions[value]=outpos;
+               if (repeat) {
+-                      if ((outpos + repeat) >= destlen) {
++                      if ((outpos + repeat) > destlen) {
+                               return 1;
+                       }
+                       if (backoffs + repeat >= outpos) {

diff --git a/queue-5.4/jffs2-prevent-rtime-decompress-memory-corruption.patch b/queue-5.4/jffs2-prevent-rtime-decompress-memory-corruption.patch
new file mode 100644 (file)
index 0000000..078df2a
--- /dev/null
+++ b/queue-5.4/jffs2-prevent-rtime-decompress-memory-corruption.patch
@@ -0,0 +1,34 @@
+From fe051552f5078fa02d593847529a3884305a6ffe Mon Sep 17 00:00:00 2001
+From: Kinsey Moore <kinsey.moore@oarcorp.com>
+Date: Tue, 23 Jul 2024 15:58:05 -0500
+Subject: jffs2: Prevent rtime decompress memory corruption
+
+From: Kinsey Moore <kinsey.moore@oarcorp.com>
+
+commit fe051552f5078fa02d593847529a3884305a6ffe upstream.
+
+The rtime decompression routine does not fully check bounds during the
+entirety of the decompression pass and can corrupt memory outside the
+decompression buffer if the compressed data is corrupted. This adds the
+required check to prevent this failure mode.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kinsey Moore <kinsey.moore@oarcorp.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jffs2/compr_rtime.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/jffs2/compr_rtime.c
++++ b/fs/jffs2/compr_rtime.c
+@@ -95,6 +95,9 @@ static int jffs2_rtime_decompress(unsign
+ 
+               positions[value]=outpos;
+               if (repeat) {
++                      if ((outpos + repeat) >= destlen) {
++                              return 1;
++                      }
+                       if (backoffs + repeat >= outpos) {
+                               while(repeat) {
+                                       cpage_out[outpos++] = cpage_out[backoffs++];

diff --git a/queue-5.4/series b/queue-5.4/series
index fe1724231097f46112b64098fe17e1e2adb47851..dc178bcb67a740702655fe3b6cd3b7a553330c9d 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -313,3 +313,5 @@ perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch
 kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch
 kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch
 kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch
+jffs2-prevent-rtime-decompress-memory-corruption.patch
+jffs2-fix-rtime-decompressor.patch