From 9496fc2dc3daaa9a20bc6be7e94defe02b22fa52 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 18 Sep 2024 19:52:46 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
---
 ...ore-memcmp-in-ocfs2_xattr_find_entry.patch | 62 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 queue-5.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch

diff --git a/queue-5.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-5.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
new file mode 100644
index 00000000000..71f4312d5c3
--- /dev/null
+++ b/queue-5.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
@@ -0,0 +1,62 @@
+From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001
+From: Ferry Meng <mengferry@linux.alibaba.com>
+Date: Mon, 20 May 2024 10:40:24 +0800
+Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
+
+From: Ferry Meng <mengferry@linux.alibaba.com>
+
+commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream.
+
+xattr in ocfs2 maybe 'non-indexed', which saved with additional space
+requested.  It's better to check if the memory is out of bound before
+memcmp, although this possibility mainly comes from crafted poisonous
+images.
+
+Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
+Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: lei lu <llfamsec@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/xattr.c |   15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -1074,7 +1074,7 @@ static int ocfs2_xattr_find_entry(int na
+ {
+ 	struct ocfs2_xattr_entry *entry;
+ 	size_t name_len;
+-	int i, cmp = 1;
++	int i, name_offset, cmp = 1;
+ 
+ 	if (name == NULL)
+ 		return -EINVAL;
+@@ -1085,10 +1085,15 @@ static int ocfs2_xattr_find_entry(int na
+ 		cmp = name_index - ocfs2_xattr_get_type(entry);
+ 		if (!cmp)
+ 			cmp = name_len - entry->xe_name_len;
+-		if (!cmp)
+-			cmp = memcmp(name, (xs->base +
+-				     le16_to_cpu(entry->xe_name_offset)),
+-				     name_len);
++		if (!cmp) {
++			name_offset = le16_to_cpu(entry->xe_name_offset);
++			if ((xs->base + name_offset + name_len) > xs->end) {
++				ocfs2_error(inode->i_sb,
++					    "corrupted xattr entries");
++				return -EFSCORRUPTED;
++			}
++			cmp = memcmp(name, (xs->base + name_offset), name_len);
++		}
+ 		if (cmp == 0)
+ 			break;
+ 		entry += 1;
diff --git a/queue-5.10/series b/queue-5.10/series
index fdaa0d5ae37..d61e95a132a 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -26,3 +26,4 @@ spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch
 soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
 asoc-meson-axg-card-fix-use-after-free.patch
 dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch
+ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
-- 
2.47.3