From 907f2ade7a8d4572c1c6b7ef6aa2b7be98dd48eb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 15 Jan 2023 15:14:28 +0100
Subject: [PATCH] 5.10-stable patches

added patches:
	netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
---
 ...den-in-the-bitmap_ip_create-function.patch | 41 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 queue-5.10/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch

diff --git a/queue-5.10/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch b/queue-5.10/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
new file mode 100644
index 00000000000..cdabf343b50
--- /dev/null
+++ b/queue-5.10/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
@@ -0,0 +1,41 @@
+From 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Wed, 11 Jan 2023 11:57:39 +0000
+Subject: netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream.
+
+When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
+an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
+to overflow due to a failure casting operands to a larger data type
+before performing the arithmetic.
+
+Note that it's harmless since the value will be checked at the next step.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters")
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_bitmap_ip.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct
+ 			return -IPSET_ERR_BITMAP_RANGE;
+ 
+ 		pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
+-		hosts = 2 << (32 - netmask - 1);
+-		elements = 2 << (netmask - mask_bits - 1);
++		hosts = 2U << (32 - netmask - 1);
++		elements = 2UL << (netmask - mask_bits - 1);
+ 	}
+ 	if (elements > IPSET_BITMAP_MAX_RANGE + 1)
+ 		return -IPSET_ERR_BITMAP_RANGE_SIZE;
diff --git a/queue-5.10/series b/queue-5.10/series
index b488f7ac5fe..e440808c802 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -32,3 +32,4 @@ xhci-prevent-infinite-loop-in-transaction-errors-rec.patch
 usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch
 ext4-fix-uninititialized-value-in-ext4_evict_inode.patch
 xfrm-fix-rcu-lock-in-xfrm_notify_userpolicy.patch
+netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
-- 
2.47.3