From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 May 2024 10:27:58 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.314~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5452f9ad07a8e311deb32e721d25c4ab2990f93e;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
---

diff --git a/queue-5.10/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch b/queue-5.10/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
new file mode 100644
index 00000000000..ab89a1ba478
--- /dev/null
+++ b/queue-5.10/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
@@ -0,0 +1,38 @@
+From 38762a0763c10c24a4915feee722d7aa6e73eb98 Mon Sep 17 00:00:00 2001
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Date: Wed, 17 Apr 2024 11:30:02 -0400
+Subject: firewire: nosy: ensure user_length is taken into account when fetching packet contents
+
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+
+commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.
+
+Ensure that packet_buffer_get respects the user_length provided. If
+the length of the head packet exceeds the user_length, packet_buffer_get
+will now return 0 to signify to the user that no data were read
+and a larger buffer size is required. Helps prevent user space overflows.
+
+Signed-off-by: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/nosy.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -148,10 +148,12 @@ packet_buffer_get(struct client *client,
+ 	if (atomic_read(&buffer->size) == 0)
+ 		return -ENODEV;
+ 
+-	/* FIXME: Check length <= user_length. */
++	length = buffer->head->length;
++
++	if (length > user_length)
++		return 0;
+ 
+ 	end = buffer->data + buffer->capacity;
+-	length = buffer->head->length;
+ 
+ 	if (&buffer->head->data[length] < end) {
+ 		if (copy_to_user(data, buffer->head->data, length))
diff --git a/queue-5.10/series b/queue-5.10/series
index 01b2b5407b7..65c219d13fb 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -89,3 +89,4 @@ net-bridge-fix-corrupted-ethernet-header-on-multicas.patch
 ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch
 net-hns3-use-appropriate-barrier-function-after-sett.patch
 btrfs-fix-kvcalloc-arguments-order-in-btrfs_ioctl_send.patch
+firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch