+sunrpc-fix-loop-termination-condition-in-gss_free_in_token_pages.patch
x86-tsc-trust-initial-offset-in-architectural-tsc-adjust-msrs.patch
ftrace-fix-possible-use-after-free-issue-in-ftrace_location.patch
tty-n_gsm-fix-possible-out-of-bounds-in-gsm0_receive.patch
--- /dev/null
+From 4a77c3dead97339478c7422eb07bf4bf63577008 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 2 Jun 2024 18:15:25 -0400
+Subject: SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 4a77c3dead97339478c7422eb07bf4bf63577008 upstream.
+
+The in_token->pages[] array is not NULL terminated. This results in
+the following KASAN splat:
+
+ KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]
+
+Fixes: bafa6b4d95d9 ("SUNRPC: Fix gss_free_in_token_pages()")
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1168,7 +1168,7 @@ static int gss_read_proxy_verf(struct sv
+ }
+
+ pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
+- in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
++ in_token->pages = kcalloc(pages + 1, sizeof(struct page *), GFP_KERNEL);
+ if (!in_token->pages) {
+ kfree(in_handle->data);
+ return SVC_DENIED;
projects / thirdparty / kernel / stable-queue.git / commitdiff
