6.1-stable patches

added patches:
	ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
	series

diff --git a/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
new file mode 100644 (file)
index 0000000..03d487f
--- /dev/null
+++ b/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
@@ -0,0 +1,62 @@
+From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
+From: Ferry Meng <mengferry@linux.alibaba.com>
+Date: Mon, 20 May 2024 10:40:24 +0800
+Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
+
+From: Ferry Meng <mengferry@linux.alibaba.com>
+
+commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
+
+xattr in ocfs2 maybe 'non-indexed', which saved with additional space
+requested.  It's better to check if the memory is out of bound before
+memcmp, although this possibility mainly comes from crafted poisonous
+images.
+
+Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
+Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: lei lu <llfamsec@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/xattr.c |   15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -1072,7 +1072,7 @@ static int ocfs2_xattr_find_entry(int na
+ {
+       struct ocfs2_xattr_entry *entry;
+       size_t name_len;
+-      int i, cmp = 1;
++      int i, name_offset, cmp = 1;
+ 
+       if (name == NULL)
+               return -EINVAL;
+@@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(int na
+               cmp = name_index - ocfs2_xattr_get_type(entry);
+               if (!cmp)
+                       cmp = name_len - entry->xe_name_len;
+-              if (!cmp)
+-                      cmp = memcmp(name, (xs->base +
+-                                   le16_to_cpu(entry->xe_name_offset)),
+-                                   name_len);
++              if (!cmp) {
++                      name_offset = le16_to_cpu(entry->xe_name_offset);
++                      if ((xs->base + name_offset + name_len) > xs->end) {
++                              ocfs2_error(inode->i_sb,
++                                          "corrupted xattr entries");
++                              return -EFSCORRUPTED;
++                      }
++                      cmp = memcmp(name, (xs->base + name_offset), name_len);
++              }
+               if (cmp == 0)
+                       break;
+               entry += 1;

diff --git a/queue-6.1/series b/queue-6.1/series
new file mode 100644 (file)
index 0000000..5328143
--- /dev/null
+++ b/queue-6.1/series
@@ -0,0 +1 @@
+ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch