5.10-stable patches

added patches:
	udf-avoid-using-stale-lengthofimpuse.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index 2efd2821dc73eb8d9e27e2777d5cef687a4e1480..92f91d78a6aef232b0a10d07dcab7d89986b8328 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -79,3 +79,4 @@ squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch
 drm-i915-fix-potential-bit_17-double-free.patch
 nvmem-core-initialise-nvmem-id-early.patch
 nvmem-core-fix-cell-removal-on-error.patch
+udf-avoid-using-stale-lengthofimpuse.patch

diff --git a/queue-5.10/udf-avoid-using-stale-lengthofimpuse.patch b/queue-5.10/udf-avoid-using-stale-lengthofimpuse.patch
new file mode 100644 (file)
index 0000000..3e006f8
--- /dev/null
+++ b/queue-5.10/udf-avoid-using-stale-lengthofimpuse.patch
@@ -0,0 +1,61 @@
+From c1ad35dd0548ce947d97aaf92f7f2f9a202951cf Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 10 May 2022 12:36:04 +0200
+Subject: udf: Avoid using stale lengthOfImpUse
+
+From: Jan Kara <jack@suse.cz>
+
+commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream.
+
+udf_write_fi() uses lengthOfImpUse of the entry it is writing to.
+However this field has not yet been initialized so it either contains
+completely bogus value or value from last directory entry at that place.
+In either case this is wrong and can lead to filesystem corruption or
+kernel crashes.
+
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+CC: stable@vger.kernel.org
+Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc")
+Signed-off-by: Jan Kara <jack@suse.cz>
+[ This patch deviates from the original upstream patch because in the
+original upstream patch, udf_get_fi_ident(sfi) was being used instead of
+(uint8_t *)sfi->fileIdent + liu as the first arg to memcpy at line 77
+and line 81. Those subsequent lines have been replaced with what the
+upstream patch passes in to memcpy. ]
+Signed-off-by: Nobel Barakat <nobelbarakat@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/namei.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -75,12 +75,11 @@ int udf_write_fi(struct inode *inode, st
+ 
+       if (fileident) {
+               if (adinicb || (offset + lfi < 0)) {
+-                      memcpy((uint8_t *)sfi->fileIdent + liu, fileident, lfi);
++                      memcpy(sfi->impUse + liu, fileident, lfi);
+               } else if (offset >= 0) {
+                       memcpy(fibh->ebh->b_data + offset, fileident, lfi);
+               } else {
+-                      memcpy((uint8_t *)sfi->fileIdent + liu, fileident,
+-                              -offset);
++                      memcpy(sfi->impUse + liu, fileident, -offset);
+                       memcpy(fibh->ebh->b_data, fileident - offset,
+                               lfi + offset);
+               }
+@@ -89,11 +88,11 @@ int udf_write_fi(struct inode *inode, st
+       offset += lfi;
+ 
+       if (adinicb || (offset + padlen < 0)) {
+-              memset((uint8_t *)sfi->padding + liu + lfi, 0x00, padlen);
++              memset(sfi->impUse + liu + lfi, 0x00, padlen);
+       } else if (offset >= 0) {
+               memset(fibh->ebh->b_data + offset, 0x00, padlen);
+       } else {
+-              memset((uint8_t *)sfi->padding + liu + lfi, 0x00, -offset);
++              memset(sfi->impUse + liu + lfi, 0x00, -offset);
+               memset(fibh->ebh->b_data, 0x00, padlen + offset);
+       }
+