5.4-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 13 May 2024 10:27:44 +0000 (12:27 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 13 May 2024 10:27:44 +0000 (12:27 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 13 May 2024 10:27:44 +0000 (12:27 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 13 May 2024 10:27:44 +0000 (12:27 +0200)
diff --git a/queue-5.4/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch b/queue-5.4/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch

new file mode 100644 (file)

index 0000000..ab89a1b
--- /dev/null
+++ b/queue-5.4/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
@@ -0,0 +1,38 @@
+From 38762a0763c10c24a4915feee722d7aa6e73eb98 Mon Sep 17 00:00:00 2001
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Date: Wed, 17 Apr 2024 11:30:02 -0400
+Subject: firewire: nosy: ensure user_length is taken into account when fetching packet contents
+
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+
+commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.
+
+Ensure that packet_buffer_get respects the user_length provided. If
+the length of the head packet exceeds the user_length, packet_buffer_get
+will now return 0 to signify to the user that no data were read
+and a larger buffer size is required. Helps prevent user space overflows.
+
+Signed-off-by: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/nosy.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -148,10 +148,12 @@ packet_buffer_get(struct client *client,
+       if (atomic_read(&buffer->size) == 0)
+               return -ENODEV;
+ 
+-      /* FIXME: Check length <= user_length. */
++      length = buffer->head->length;
++
++      if (length > user_length)
++              return 0;
+ 
+       end = buffer->data + buffer->capacity;
+-      length = buffer->head->length;
+ 
+       if (&buffer->head->data[length] < end) {
+               if (copy_to_user(data, buffer->head->data, length))
diff --git a/queue-5.4/series b/queue-5.4/series

index bc91addbfc9b6bcc4eec9f046712eea89f5d1710..d1cc345cef42e885a2e177800a688bc6e6ff2ebc 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -73,3 +73,4 @@ net-bridge-fix-corrupted-ethernet-header-on-multicas.patch
  ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch
  net-qede-sanitize-rc-in-qede_add_tc_flower_fltr.patch
  net-qede-use-return-from-qede_parse_flow_attr-for-fl.patch-6660
+firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 13 May 2024 10:27:44 +0000 (12:27 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 13 May 2024 10:27:44 +0000 (12:27 +0200)
queue-5.4/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch	[new file with mode: 0644]	patch \| blob
queue-5.4/series		patch \| blob \| blame \| history