+++ /dev/null
-From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
-From: Ferry Meng <mengferry@linux.alibaba.com>
-Date: Mon, 20 May 2024 10:40:24 +0800
-Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
-
-From: Ferry Meng <mengferry@linux.alibaba.com>
-
-commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
-
-xattr in ocfs2 maybe 'non-indexed', which saved with additional space
-requested. It's better to check if the memory is out of bound before
-memcmp, although this possibility mainly comes from crafted poisonous
-images.
-
-Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
-Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
-Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Reported-by: lei lu <llfamsec@gmail.com>
-Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Cc: Changwei Ge <gechangwei@live.cn>
-Cc: Gang He <ghe@suse.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Jun Piao <piaojun@huawei.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Mark Fasheh <mark@fasheh.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/xattr.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1082,7 +1082,7 @@ static int ocfs2_xattr_find_entry(int na
- {
- struct ocfs2_xattr_entry *entry;
- size_t name_len;
-- int i, cmp = 1;
-+ int i, name_offset, cmp = 1;
-
- if (name == NULL)
- return -EINVAL;
-@@ -1093,10 +1093,15 @@ static int ocfs2_xattr_find_entry(int na
- cmp = name_index - ocfs2_xattr_get_type(entry);
- if (!cmp)
- cmp = name_len - entry->xe_name_len;
-- if (!cmp)
-- cmp = memcmp(name, (xs->base +
-- le16_to_cpu(entry->xe_name_offset)),
-- name_len);
-+ if (!cmp) {
-+ name_offset = le16_to_cpu(entry->xe_name_offset);
-+ if ((xs->base + name_offset + name_len) > xs->end) {
-+ ocfs2_error(inode->i_sb,
-+ "corrupted xattr entries");
-+ return -EFSCORRUPTED;
-+ }
-+ cmp = memcmp(name, (xs->base + name_offset), name_len);
-+ }
- if (cmp == 0)
- break;
- entry += 1;
soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
selftests-vm-remove-call-to-ksft_set_plan.patch
selftests-kcmp-remove-call-to-ksft_set_plan.patch
-ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
+++ /dev/null
-From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
-From: Ferry Meng <mengferry@linux.alibaba.com>
-Date: Mon, 20 May 2024 10:40:24 +0800
-Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
-
-From: Ferry Meng <mengferry@linux.alibaba.com>
-
-commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
-
-xattr in ocfs2 maybe 'non-indexed', which saved with additional space
-requested. It's better to check if the memory is out of bound before
-memcmp, although this possibility mainly comes from crafted poisonous
-images.
-
-Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
-Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
-Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Reported-by: lei lu <llfamsec@gmail.com>
-Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Cc: Changwei Ge <gechangwei@live.cn>
-Cc: Gang He <ghe@suse.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Jun Piao <piaojun@huawei.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Mark Fasheh <mark@fasheh.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/xattr.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1074,7 +1074,7 @@ static int ocfs2_xattr_find_entry(int na
- {
- struct ocfs2_xattr_entry *entry;
- size_t name_len;
-- int i, cmp = 1;
-+ int i, name_offset, cmp = 1;
-
- if (name == NULL)
- return -EINVAL;
-@@ -1085,10 +1085,15 @@ static int ocfs2_xattr_find_entry(int na
- cmp = name_index - ocfs2_xattr_get_type(entry);
- if (!cmp)
- cmp = name_len - entry->xe_name_len;
-- if (!cmp)
-- cmp = memcmp(name, (xs->base +
-- le16_to_cpu(entry->xe_name_offset)),
-- name_len);
-+ if (!cmp) {
-+ name_offset = le16_to_cpu(entry->xe_name_offset);
-+ if ((xs->base + name_offset + name_len) > xs->end) {
-+ ocfs2_error(inode->i_sb,
-+ "corrupted xattr entries");
-+ return -EFSCORRUPTED;
-+ }
-+ cmp = memcmp(name, (xs->base + name_offset), name_len);
-+ }
- if (cmp == 0)
- break;
- entry += 1;
soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
asoc-meson-axg-card-fix-use-after-free.patch
dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch
-ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
+++ /dev/null
-From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
-From: Ferry Meng <mengferry@linux.alibaba.com>
-Date: Mon, 20 May 2024 10:40:24 +0800
-Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
-
-From: Ferry Meng <mengferry@linux.alibaba.com>
-
-commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
-
-xattr in ocfs2 maybe 'non-indexed', which saved with additional space
-requested. It's better to check if the memory is out of bound before
-memcmp, although this possibility mainly comes from crafted poisonous
-images.
-
-Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
-Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
-Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Reported-by: lei lu <llfamsec@gmail.com>
-Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Cc: Changwei Ge <gechangwei@live.cn>
-Cc: Gang He <ghe@suse.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Jun Piao <piaojun@huawei.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Mark Fasheh <mark@fasheh.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/xattr.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1072,7 +1072,7 @@ static int ocfs2_xattr_find_entry(int na
- {
- struct ocfs2_xattr_entry *entry;
- size_t name_len;
-- int i, cmp = 1;
-+ int i, name_offset, cmp = 1;
-
- if (name == NULL)
- return -EINVAL;
-@@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(int na
- cmp = name_index - ocfs2_xattr_get_type(entry);
- if (!cmp)
- cmp = name_len - entry->xe_name_len;
-- if (!cmp)
-- cmp = memcmp(name, (xs->base +
-- le16_to_cpu(entry->xe_name_offset)),
-- name_len);
-+ if (!cmp) {
-+ name_offset = le16_to_cpu(entry->xe_name_offset);
-+ if ((xs->base + name_offset + name_len) > xs->end) {
-+ ocfs2_error(inode->i_sb,
-+ "corrupted xattr entries");
-+ return -EFSCORRUPTED;
-+ }
-+ cmp = memcmp(name, (xs->base + name_offset), name_len);
-+ }
- if (cmp == 0)
- break;
- entry += 1;
soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch
asoc-meson-axg-card-fix-use-after-free.patch
-ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
+++ /dev/null
-From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
-From: Ferry Meng <mengferry@linux.alibaba.com>
-Date: Mon, 20 May 2024 10:40:24 +0800
-Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
-
-From: Ferry Meng <mengferry@linux.alibaba.com>
-
-commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
-
-xattr in ocfs2 maybe 'non-indexed', which saved with additional space
-requested. It's better to check if the memory is out of bound before
-memcmp, although this possibility mainly comes from crafted poisonous
-images.
-
-Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
-Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
-Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Reported-by: lei lu <llfamsec@gmail.com>
-Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Cc: Changwei Ge <gechangwei@live.cn>
-Cc: Gang He <ghe@suse.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Jun Piao <piaojun@huawei.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Mark Fasheh <mark@fasheh.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/xattr.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1074,7 +1074,7 @@ static int ocfs2_xattr_find_entry(int na
- {
- struct ocfs2_xattr_entry *entry;
- size_t name_len;
-- int i, cmp = 1;
-+ int i, name_offset, cmp = 1;
-
- if (name == NULL)
- return -EINVAL;
-@@ -1085,10 +1085,15 @@ static int ocfs2_xattr_find_entry(int na
- cmp = name_index - ocfs2_xattr_get_type(entry);
- if (!cmp)
- cmp = name_len - entry->xe_name_len;
-- if (!cmp)
-- cmp = memcmp(name, (xs->base +
-- le16_to_cpu(entry->xe_name_offset)),
-- name_len);
-+ if (!cmp) {
-+ name_offset = le16_to_cpu(entry->xe_name_offset);
-+ if ((xs->base + name_offset + name_len) > xs->end) {
-+ ocfs2_error(inode->i_sb,
-+ "corrupted xattr entries");
-+ return -EFSCORRUPTED;
-+ }
-+ cmp = memcmp(name, (xs->base + name_offset), name_len);
-+ }
- if (cmp == 0)
- break;
- entry += 1;
spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch
soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
selftests-breakpoints-fix-a-typo-of-function-name.patch
-ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
+++ /dev/null
-From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
-From: Ferry Meng <mengferry@linux.alibaba.com>
-Date: Mon, 20 May 2024 10:40:24 +0800
-Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
-
-From: Ferry Meng <mengferry@linux.alibaba.com>
-
-commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
-
-xattr in ocfs2 maybe 'non-indexed', which saved with additional space
-requested. It's better to check if the memory is out of bound before
-memcmp, although this possibility mainly comes from crafted poisonous
-images.
-
-Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
-Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
-Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Reported-by: lei lu <llfamsec@gmail.com>
-Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Cc: Changwei Ge <gechangwei@live.cn>
-Cc: Gang He <ghe@suse.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Jun Piao <piaojun@huawei.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Mark Fasheh <mark@fasheh.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/xattr.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1072,7 +1072,7 @@ static int ocfs2_xattr_find_entry(int na
- {
- struct ocfs2_xattr_entry *entry;
- size_t name_len;
-- int i, cmp = 1;
-+ int i, name_offset, cmp = 1;
-
- if (name == NULL)
- return -EINVAL;
-@@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(int na
- cmp = name_index - ocfs2_xattr_get_type(entry);
- if (!cmp)
- cmp = name_len - entry->xe_name_len;
-- if (!cmp)
-- cmp = memcmp(name, (xs->base +
-- le16_to_cpu(entry->xe_name_offset)),
-- name_len);
-+ if (!cmp) {
-+ name_offset = le16_to_cpu(entry->xe_name_offset);
-+ if ((xs->base + name_offset + name_len) > xs->end) {
-+ ocfs2_error(inode->i_sb,
-+ "corrupted xattr entries");
-+ return -EFSCORRUPTED;
-+ }
-+ cmp = memcmp(name, (xs->base + name_offset), name_len);
-+ }
- if (cmp == 0)
- break;
- entry += 1;
-ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
+++ /dev/null
-From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
-From: Ferry Meng <mengferry@linux.alibaba.com>
-Date: Mon, 20 May 2024 10:40:24 +0800
-Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
-
-From: Ferry Meng <mengferry@linux.alibaba.com>
-
-commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
-
-xattr in ocfs2 maybe 'non-indexed', which saved with additional space
-requested. It's better to check if the memory is out of bound before
-memcmp, although this possibility mainly comes from crafted poisonous
-images.
-
-Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
-Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
-Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Reported-by: lei lu <llfamsec@gmail.com>
-Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Cc: Changwei Ge <gechangwei@live.cn>
-Cc: Gang He <ghe@suse.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Jun Piao <piaojun@huawei.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Mark Fasheh <mark@fasheh.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/xattr.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1068,7 +1068,7 @@ static int ocfs2_xattr_find_entry(int na
- {
- struct ocfs2_xattr_entry *entry;
- size_t name_len;
-- int i, cmp = 1;
-+ int i, name_offset, cmp = 1;
-
- if (name == NULL)
- return -EINVAL;
-@@ -1079,10 +1079,15 @@ static int ocfs2_xattr_find_entry(int na
- cmp = name_index - ocfs2_xattr_get_type(entry);
- if (!cmp)
- cmp = name_len - entry->xe_name_len;
-- if (!cmp)
-- cmp = memcmp(name, (xs->base +
-- le16_to_cpu(entry->xe_name_offset)),
-- name_len);
-+ if (!cmp) {
-+ name_offset = le16_to_cpu(entry->xe_name_offset);
-+ if ((xs->base + name_offset + name_len) > xs->end) {
-+ ocfs2_error(inode->i_sb,
-+ "corrupted xattr entries");
-+ return -EFSCORRUPTED;
-+ }
-+ cmp = memcmp(name, (xs->base + name_offset), name_len);
-+ }
- if (cmp == 0)
- break;
- entry += 1;
-ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
+++ /dev/null
-From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
-From: Ferry Meng <mengferry@linux.alibaba.com>
-Date: Mon, 20 May 2024 10:40:24 +0800
-Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
-
-From: Ferry Meng <mengferry@linux.alibaba.com>
-
-commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
-
-xattr in ocfs2 maybe 'non-indexed', which saved with additional space
-requested. It's better to check if the memory is out of bound before
-memcmp, although this possibility mainly comes from crafted poisonous
-images.
-
-Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
-Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
-Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Reported-by: lei lu <llfamsec@gmail.com>
-Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
-Cc: Changwei Ge <gechangwei@live.cn>
-Cc: Gang He <ghe@suse.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Jun Piao <piaojun@huawei.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Mark Fasheh <mark@fasheh.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/xattr.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1068,7 +1068,7 @@ static int ocfs2_xattr_find_entry(int na
- {
- struct ocfs2_xattr_entry *entry;
- size_t name_len;
-- int i, cmp = 1;
-+ int i, name_offset, cmp = 1;
-
- if (name == NULL)
- return -EINVAL;
-@@ -1079,10 +1079,15 @@ static int ocfs2_xattr_find_entry(int na
- cmp = name_index - ocfs2_xattr_get_type(entry);
- if (!cmp)
- cmp = name_len - entry->xe_name_len;
-- if (!cmp)
-- cmp = memcmp(name, (xs->base +
-- le16_to_cpu(entry->xe_name_offset)),
-- name_len);
-+ if (!cmp) {
-+ name_offset = le16_to_cpu(entry->xe_name_offset);
-+ if ((xs->base + name_offset + name_len) > xs->end) {
-+ ocfs2_error(inode->i_sb,
-+ "corrupted xattr entries");
-+ return -EFSCORRUPTED;
-+ }
-+ cmp = memcmp(name, (xs->base + name_offset), name_len);
-+ }
- if (cmp == 0)
- break;
- entry += 1;
-ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
