From: Sasha Levin Date: Thu, 24 Oct 2024 11:16:27 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.15.170~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fd27fce0a00e80223c2fc5f43d4f2893e75bc8da;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/series b/queue-4.19/series index 36a05e60a4b..752c2aed7fe 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -305,3 +305,4 @@ kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch kvm-s390-gaccess-refactor-access-address-range-check.patch kvm-s390-gaccess-cleanup-access-to-guest-pages.patch kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch +udf-fix-uninit-value-use-in-udf_get_fileshortad.patch diff --git a/queue-4.19/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch b/queue-4.19/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch new file mode 100644 index 00000000000..0dfa72e149f --- /dev/null +++ b/queue-4.19/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch @@ -0,0 +1,54 @@ +From ce57aa703c2e4b7afe8433ef7beea0a9a66a5aa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 09:46:15 +0200 +Subject: udf: fix uninit-value use in udf_get_fileshortad + +From: Gianfranco Trad + +[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] + +Check for overflow when computing alen in udf_current_aext to mitigate +later uninit-value use in udf_get_fileshortad KMSAN bug[1]. +After applying the patch reproducer did not trigger any issue[2]. + +[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 + +Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Suggested-by: Jan Kara +Signed-off-by: Gianfranco Trad +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 08d7208eb7b75..76bb8be01b8d9 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -2166,12 +2166,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, + alen = udf_file_entry_alloc_offset(inode) + + iinfo->i_lenAlloc; + } else { ++ struct allocExtDesc *header = ++ (struct allocExtDesc *)epos->bh->b_data; ++ + if (!epos->offset) + epos->offset = sizeof(struct allocExtDesc); + ptr = epos->bh->b_data + epos->offset; +- alen = sizeof(struct allocExtDesc) + +- le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> +- lengthAllocDescs); ++ if (check_add_overflow(sizeof(struct allocExtDesc), ++ le32_to_cpu(header->lengthAllocDescs), &alen)) ++ return -1; + } + + switch (iinfo->i_alloc_type) { +-- +2.43.0 +