From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 12 Dec 2024 08:42:29 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v5.4.287~44
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=460c9e25033af588526cd288823fc788f888f623;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	jffs2-fix-rtime-decompressor.patch
	jffs2-prevent-rtime-decompress-memory-corruption.patch
---

diff --git a/queue-5.4/jffs2-fix-rtime-decompressor.patch b/queue-5.4/jffs2-fix-rtime-decompressor.patch
new file mode 100644
index 00000000000..f1410bcceb0
--- /dev/null
+++ b/queue-5.4/jffs2-fix-rtime-decompressor.patch
@@ -0,0 +1,32 @@
+From b29bf7119d6bbfd04aabb8d82b060fe2a33ef890 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 3 Dec 2024 12:27:15 +0100
+Subject: jffs2: Fix rtime decompressor
+
+From: Richard Weinberger <richard@nod.at>
+
+commit b29bf7119d6bbfd04aabb8d82b060fe2a33ef890 upstream.
+
+The fix for a memory corruption contained a off-by-one error and
+caused the compressor to fail in legit cases.
+
+Cc: Kinsey Moore <kinsey.moore@oarcorp.com>
+Cc: stable@vger.kernel.org
+Fixes: fe051552f5078 ("jffs2: Prevent rtime decompress memory corruption")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jffs2/compr_rtime.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jffs2/compr_rtime.c
++++ b/fs/jffs2/compr_rtime.c
+@@ -95,7 +95,7 @@ static int jffs2_rtime_decompress(unsign
+ 
+ 		positions[value]=outpos;
+ 		if (repeat) {
+-			if ((outpos + repeat) >= destlen) {
++			if ((outpos + repeat) > destlen) {
+ 				return 1;
+ 			}
+ 			if (backoffs + repeat >= outpos) {
diff --git a/queue-5.4/jffs2-prevent-rtime-decompress-memory-corruption.patch b/queue-5.4/jffs2-prevent-rtime-decompress-memory-corruption.patch
new file mode 100644
index 00000000000..078df2a6d66
--- /dev/null
+++ b/queue-5.4/jffs2-prevent-rtime-decompress-memory-corruption.patch
@@ -0,0 +1,34 @@
+From fe051552f5078fa02d593847529a3884305a6ffe Mon Sep 17 00:00:00 2001
+From: Kinsey Moore <kinsey.moore@oarcorp.com>
+Date: Tue, 23 Jul 2024 15:58:05 -0500
+Subject: jffs2: Prevent rtime decompress memory corruption
+
+From: Kinsey Moore <kinsey.moore@oarcorp.com>
+
+commit fe051552f5078fa02d593847529a3884305a6ffe upstream.
+
+The rtime decompression routine does not fully check bounds during the
+entirety of the decompression pass and can corrupt memory outside the
+decompression buffer if the compressed data is corrupted. This adds the
+required check to prevent this failure mode.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kinsey Moore <kinsey.moore@oarcorp.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jffs2/compr_rtime.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/jffs2/compr_rtime.c
++++ b/fs/jffs2/compr_rtime.c
+@@ -95,6 +95,9 @@ static int jffs2_rtime_decompress(unsign
+ 
+ 		positions[value]=outpos;
+ 		if (repeat) {
++			if ((outpos + repeat) >= destlen) {
++				return 1;
++			}
+ 			if (backoffs + repeat >= outpos) {
+ 				while(repeat) {
+ 					cpage_out[outpos++] = cpage_out[backoffs++];
diff --git a/queue-5.4/series b/queue-5.4/series
index fe172423109..dc178bcb67a 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -313,3 +313,5 @@ perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch
 kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch
 kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch
 kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch
+jffs2-prevent-rtime-decompress-memory-corruption.patch
+jffs2-fix-rtime-decompressor.patch