From ace6ac00424e05bf76cb062f05833ee335d0d5ad Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 May 2024 12:28:43 +0200
Subject: [PATCH] 6.6-stable patches

added patches:
	firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
---
 ...ccount-when-fetching-packet-contents.patch | 38 +++++++++++++++++++
 queue-6.6/series                              |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 queue-6.6/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch

diff --git a/queue-6.6/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch b/queue-6.6/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
new file mode 100644
index 00000000000..ab89a1ba478
--- /dev/null
+++ b/queue-6.6/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
@@ -0,0 +1,38 @@
+From 38762a0763c10c24a4915feee722d7aa6e73eb98 Mon Sep 17 00:00:00 2001
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Date: Wed, 17 Apr 2024 11:30:02 -0400
+Subject: firewire: nosy: ensure user_length is taken into account when fetching packet contents
+
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+
+commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.
+
+Ensure that packet_buffer_get respects the user_length provided. If
+the length of the head packet exceeds the user_length, packet_buffer_get
+will now return 0 to signify to the user that no data were read
+and a larger buffer size is required. Helps prevent user space overflows.
+
+Signed-off-by: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/nosy.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -148,10 +148,12 @@ packet_buffer_get(struct client *client,
+ 	if (atomic_read(&buffer->size) == 0)
+ 		return -ENODEV;
+ 
+-	/* FIXME: Check length <= user_length. */
++	length = buffer->head->length;
++
++	if (length > user_length)
++		return 0;
+ 
+ 	end = buffer->data + buffer->capacity;
+-	length = buffer->head->length;
+ 
+ 	if (&buffer->head->data[length] < end) {
+ 		if (copy_to_user(data, buffer->head->data, length))
diff --git a/queue-6.6/series b/queue-6.6/series
index ef8196dd07f..bf14c8c2be5 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -221,3 +221,4 @@ drm-amd-display-atom-integrated-system-info-v2_2-for.patch
 drm-amdgpu-fix-comparison-in-amdgpu_res_cpu_visible.patch
 drm-amdgpu-once-more-fix-the-call-oder-in-amdgpu_ttm_move-v2.patch
 btrfs-fix-kvcalloc-arguments-order-in-btrfs_ioctl_send.patch
+firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
-- 
2.47.2