Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/series b/queue-4.19/series
index 36a05e60a4b72e4ecf15d2ae027aa51eddcade75..752c2aed7fea56cdc565dacfa14b1d7ef60021e1 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -305,3 +305,4 @@ kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch
 kvm-s390-gaccess-refactor-access-address-range-check.patch
 kvm-s390-gaccess-cleanup-access-to-guest-pages.patch
 kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch
+udf-fix-uninit-value-use-in-udf_get_fileshortad.patch

diff --git a/queue-4.19/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch b/queue-4.19/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch
new file mode 100644 (file)
index 0000000..0dfa72e
--- /dev/null
+++ b/queue-4.19/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch
@@ -0,0 +1,54 @@
+From ce57aa703c2e4b7afe8433ef7beea0a9a66a5aa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 09:46:15 +0200
+Subject: udf: fix uninit-value use in udf_get_fileshortad
+
+From: Gianfranco Trad <gianf.trad@gmail.com>
+
+[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ]
+
+Check for overflow when computing alen in udf_current_aext to mitigate
+later uninit-value use in udf_get_fileshortad KMSAN bug[1].
+After applying the patch reproducer did not trigger any issue[2].
+
+[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
+[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
+
+Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
+Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
+Suggested-by: Jan Kara <jack@suse.com>
+Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/inode.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 08d7208eb7b75..76bb8be01b8d9 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -2166,12 +2166,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
+               alen = udf_file_entry_alloc_offset(inode) +
+                                                       iinfo->i_lenAlloc;
+       } else {
++              struct allocExtDesc *header =
++                      (struct allocExtDesc *)epos->bh->b_data;
++
+               if (!epos->offset)
+                       epos->offset = sizeof(struct allocExtDesc);
+               ptr = epos->bh->b_data + epos->offset;
+-              alen = sizeof(struct allocExtDesc) +
+-                      le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)->
+-                                                      lengthAllocDescs);
++              if (check_add_overflow(sizeof(struct allocExtDesc),
++                              le32_to_cpu(header->lengthAllocDescs), &alen))
++                      return -1;
+       }
+ 
+       switch (iinfo->i_alloc_type) {
+-- 
+2.43.0
+