From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 18 Sep 2024 17:52:47 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.112~50
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6a7ad60a1a161619421f3de79def8f0e281a6a95;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
	series
---

diff --git a/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
new file mode 100644
index 00000000000..03d487fc92b
--- /dev/null
+++ b/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
@@ -0,0 +1,62 @@
+From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
+From: Ferry Meng <mengferry@linux.alibaba.com>
+Date: Mon, 20 May 2024 10:40:24 +0800
+Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
+
+From: Ferry Meng <mengferry@linux.alibaba.com>
+
+commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
+
+xattr in ocfs2 maybe 'non-indexed', which saved with additional space
+requested.  It's better to check if the memory is out of bound before
+memcmp, although this possibility mainly comes from crafted poisonous
+images.
+
+Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
+Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: lei lu <llfamsec@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/xattr.c |   15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -1072,7 +1072,7 @@ static int ocfs2_xattr_find_entry(int na
+ {
+ 	struct ocfs2_xattr_entry *entry;
+ 	size_t name_len;
+-	int i, cmp = 1;
++	int i, name_offset, cmp = 1;
+ 
+ 	if (name == NULL)
+ 		return -EINVAL;
+@@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(int na
+ 		cmp = name_index - ocfs2_xattr_get_type(entry);
+ 		if (!cmp)
+ 			cmp = name_len - entry->xe_name_len;
+-		if (!cmp)
+-			cmp = memcmp(name, (xs->base +
+-				     le16_to_cpu(entry->xe_name_offset)),
+-				     name_len);
++		if (!cmp) {
++			name_offset = le16_to_cpu(entry->xe_name_offset);
++			if ((xs->base + name_offset + name_len) > xs->end) {
++				ocfs2_error(inode->i_sb,
++					    "corrupted xattr entries");
++				return -EFSCORRUPTED;
++			}
++			cmp = memcmp(name, (xs->base + name_offset), name_len);
++		}
+ 		if (cmp == 0)
+ 			break;
+ 		entry += 1;
diff --git a/queue-6.1/series b/queue-6.1/series
new file mode 100644
index 00000000000..53281433b5d
--- /dev/null
+++ b/queue-6.1/series
@@ -0,0 +1 @@
+ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch