4.19-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 13 May 2024 10:27:32 +0000 (12:27 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 13 May 2024 10:27:32 +0000 (12:27 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 13 May 2024 10:27:32 +0000 (12:27 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 13 May 2024 10:27:32 +0000 (12:27 +0200)
diff --git a/queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch b/queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch

new file mode 100644 (file)

index 0000000..80b31b5
--- /dev/null
+++ b/queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
@@ -0,0 +1,38 @@
+From 38762a0763c10c24a4915feee722d7aa6e73eb98 Mon Sep 17 00:00:00 2001
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Date: Wed, 17 Apr 2024 11:30:02 -0400
+Subject: firewire: nosy: ensure user_length is taken into account when fetching packet contents
+
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+
+commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.
+
+Ensure that packet_buffer_get respects the user_length provided. If
+the length of the head packet exceeds the user_length, packet_buffer_get
+will now return 0 to signify to the user that no data were read
+and a larger buffer size is required. Helps prevent user space overflows.
+
+Signed-off-by: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/nosy.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -161,10 +161,12 @@ packet_buffer_get(struct client *client,
+       if (atomic_read(&buffer->size) == 0)
+               return -ENODEV;
+ 
+-      /* FIXME: Check length <= user_length. */
++      length = buffer->head->length;
++
++      if (length > user_length)
++              return 0;
+ 
+       end = buffer->data + buffer->capacity;
+-      length = buffer->head->length;
+ 
+       if (&buffer->head->data[length] < end) {
+               if (copy_to_user(data, buffer->head->data, length))
diff --git a/queue-4.19/series b/queue-4.19/series

index 405031620e31ab23c01f42a13ff243f9e019b2bf..dd08ff6993fa5d0c0341f488b2914043556b197f 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -53,3 +53,4 @@ net-bridge-fix-corrupted-ethernet-header-on-multicas.patch
  ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch
  af_unix-do-not-use-atomic-ops-for-unix_sk-sk-infligh.patch
  af_unix-fix-garbage-collector-racing-against-connect.patch
+firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 13 May 2024 10:27:32 +0000 (12:27 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 13 May 2024 10:27:32 +0000 (12:27 +0200)
queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch	[new file with mode: 0644]	patch \| blob
queue-4.19/series		patch \| blob \| blame \| history