--- /dev/null
+From 38f802543fce4c7c3601e86bc7d867dc0701b778 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 19:59:14 -0300
+Subject: smb: client: fix OOB in smbCalcSize()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit b35858b3786ddbb56e1c35138ba25d6adf8d0bef ]
+
+Validate @smb->WordCount to avoid reading off the end of @smb and thus
+causing the following KASAN splat:
+
+ BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs]
+ Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328
+
+ CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+ rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x4a/0x80
+ print_report+0xcf/0x650
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __phys_addr+0x46/0x90
+ kasan_report+0xd8/0x110
+ ? smbCalcSize+0x32/0x40 [cifs]
+ ? smbCalcSize+0x32/0x40 [cifs]
+ kasan_check_range+0x105/0x1b0
+ smbCalcSize+0x32/0x40 [cifs]
+ checkSMB+0x162/0x370 [cifs]
+ ? __pfx_checkSMB+0x10/0x10 [cifs]
+ cifs_handle_standard+0xbc/0x2f0 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ cifs_demultiplex_thread+0xed1/0x1360 [cifs]
+ ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? lockdep_hardirqs_on_prepare+0x136/0x210
+ ? __pfx_lock_release+0x10/0x10
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? mark_held_locks+0x1a/0x90
+ ? lockdep_hardirqs_on_prepare+0x136/0x210
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __kthread_parkme+0xce/0xf0
+ ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
+ kthread+0x18d/0x1d0
+ ? kthread+0xdb/0x1d0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x34/0x60
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+
+This fixes CVE-2023-6606.
+
+Reported-by: j51569436@gmail.com
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/misc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
+index dd67f56ea61e5..c9ebfff5190a8 100644
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -338,6 +338,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server)
+ cifs_dbg(VFS, "Length less than smb header size\n");
+ }
+ return -EIO;
++ } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) {
++ cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n",
++ __func__, smb->WordCount);
++ return -EIO;
+ }
+
+ /* otherwise, there is enough to get to the BCC */
+--
+2.43.0
+
--- /dev/null
+From 819aa1d773adbe0d7c2949c5f77b9eb84f10e20a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 16:22:43 +0300
+Subject: usb: fotg210-hcd: delete an incorrect bounds test
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7fbcd195e2b8cc952e4aeaeb50867b798040314c ]
+
+Here "temp" is the number of characters that we have written and "size"
+is the size of the buffer. The intent was clearly to say that if we have
+written to the end of the buffer then stop.
+
+However, for that to work the comparison should have been done on the
+original "size" value instead of the "size -= temp" value. Not only
+will that not trigger when we want to, but there is a small chance that
+it will trigger incorrectly before we want it to and we break from the
+loop slightly earlier than intended.
+
+This code was recently changed from using snprintf() to scnprintf(). With
+snprintf() we likely would have continued looping and passed a negative
+size parameter to snprintf(). This would have triggered an annoying
+WARN(). Now that we have converted to scnprintf() "size" will never
+drop below 1 and there is no real need for this test. We could change
+the condition to "if (temp <= 1) goto done;" but just deleting the test
+is cleanest.
+
+Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/ZXmwIwHe35wGfgzu@suswa
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/fotg210-hcd.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index 1577424319613..d87b4fb0d9af6 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -426,8 +426,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh,
+ temp = size;
+ size -= temp;
+ next += temp;
+- if (temp == size)
+- goto done;
+ }
+
+ temp = snprintf(next, size, "\n");
+@@ -437,7 +435,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh,
+ size -= temp;
+ next += temp;
+
+-done:
+ *sizep = size;
+ *nextp = next;
+ }
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
