--- /dev/null
+From 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 30 Oct 2018 13:26:15 -0400
+Subject: Cramfs: fix abad comparison when wrap-arounds occur
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+commit 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 upstream.
+
+It is possible for corrupted filesystem images to produce very large
+block offsets that may wrap when a length is added, and wrongly pass
+the buffer size test.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cramfs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -185,7 +185,8 @@ static void *cramfs_read(struct super_bl
+ continue;
+ blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_CACHE_SHIFT;
+ blk_offset += offset;
+- if (blk_offset + len > BUFFER_SIZE)
++ if (blk_offset > BUFFER_SIZE ||
++ blk_offset + len > BUFFER_SIZE)
+ continue;
+ return read_buffers[i] + blk_offset;
+ }
media-em28xx-use-a-default-format-if-try_fmt-fails.patch
media-em28xx-fix-input-name-for-terratec-av-350.patch
media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch
+cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
