5.15-stable patches

added patches:
	exfat-check-if-filename-entries-exceeds-max-filename-length.patch

diff --git a/queue-5.15/exfat-check-if-filename-entries-exceeds-max-filename-length.patch b/queue-5.15/exfat-check-if-filename-entries-exceeds-max-filename-length.patch
new file mode 100644 (file)
index 0000000..7ef1a69
--- /dev/null
+++ b/queue-5.15/exfat-check-if-filename-entries-exceeds-max-filename-length.patch
@@ -0,0 +1,63 @@
+From d42334578eba1390859012ebb91e1e556d51db49 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 13 Jul 2023 21:59:37 +0900
+Subject: exfat: check if filename entries exceeds max filename length
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit d42334578eba1390859012ebb91e1e556d51db49 upstream.
+
+exfat_extract_uni_name copies characters from a given file name entry into
+the 'uniname' variable. This variable is actually defined on the stack of
+the exfat_readdir() function. According to the definition of
+the 'exfat_uni_name' type, the file name should be limited 255 characters
+(+ null teminator space), but the exfat_get_uniname_from_ext_entry()
+function can write more characters because there is no check if filename
+entries exceeds max filename length. This patch add the check not to copy
+filename characters when exceeding max filename length.
+
+Cc: stable@vger.kernel.org
+Cc: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Harshit: backport to 5.15.y]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/dir.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/exfat/dir.c
++++ b/fs/exfat/dir.c
+@@ -34,6 +34,7 @@ static void exfat_get_uniname_from_ext_e
+ {
+       int i;
+       struct exfat_entry_set_cache *es;
++      unsigned int uni_len = 0, len;
+ 
+       es = exfat_get_dentry_set(sb, p_dir, entry, ES_ALL_ENTRIES);
+       if (!es)
+@@ -52,7 +53,10 @@ static void exfat_get_uniname_from_ext_e
+               if (exfat_get_entry_type(ep) != TYPE_EXTEND)
+                       break;
+ 
+-              exfat_extract_uni_name(ep, uniname);
++              len = exfat_extract_uni_name(ep, uniname);
++              uni_len += len;
++              if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)
++                      break;
+               uniname += EXFAT_FILE_NAME_LEN;
+       }
+ 
+@@ -1032,7 +1036,8 @@ rewind:
+                       if (entry_type == TYPE_EXTEND) {
+                               unsigned short entry_uniname[16], unichar;
+ 
+-                              if (step != DIRENT_STEP_NAME) {
++                              if (step != DIRENT_STEP_NAME ||
++                                  name_len >= MAX_NAME_LENGTH) {
+                                       step = DIRENT_STEP_FILE;
+                                       continue;
+                               }

diff --git a/queue-5.15/series b/queue-5.15/series
index b22697c2dbf487600c2d42f89513ab2bf1b38384..ee479de7090e727e5358dc8edb9b8e49f864129b 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -122,3 +122,4 @@ mmc-block-fix-in_flight-value-error.patch
 drm-qxl-fix-uaf-on-handle-creation.patch
 drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch
 netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch
+exfat-check-if-filename-entries-exceeds-max-filename-length.patch