--- /dev/null
+From 688078e7f36c293dae25b338ddc9e0a2790f6e06 Mon Sep 17 00:00:00 2001
+From: Randall Huang <huangrandall@google.com>
+Date: Fri, 18 Oct 2019 14:56:22 +0800
+Subject: f2fs: fix to avoid memory leakage in f2fs_listxattr
+
+From: Randall Huang <huangrandall@google.com>
+
+commit 688078e7f36c293dae25b338ddc9e0a2790f6e06 upstream.
+
+In f2fs_listxattr, there is no boundary check before
+memcpy e_name to buffer.
+If the e_name_len is corrupted,
+unexpected memory contents may be returned to the buffer.
+
+Signed-off-by: Randall Huang <huangrandall@google.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/xattr.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -539,8 +539,9 @@ out:
+ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
+ {
+ struct inode *inode = d_inode(dentry);
++ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+ struct f2fs_xattr_entry *entry;
+- void *base_addr;
++ void *base_addr, *last_base_addr;
+ int error = 0;
+ size_t rest = buffer_size;
+
+@@ -550,6 +551,8 @@ ssize_t f2fs_listxattr(struct dentry *de
+ if (error)
+ return error;
+
++ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
++
+ list_for_each_xattr(entry, base_addr) {
+ const struct xattr_handler *handler =
+ f2fs_xattr_handler(entry->e_name_index);
+@@ -557,6 +560,15 @@ ssize_t f2fs_listxattr(struct dentry *de
+ size_t prefix_len;
+ size_t size;
+
++ if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
++ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) {
++ f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr",
++ inode->i_ino);
++ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
++ error = -EFSCORRUPTED;
++ goto cleanup;
++ }
++
+ if (!handler || (handler->list && !handler->list(dentry)))
+ continue;
+
--- /dev/null
+From 25629fdaff2ff509dd0b3f5ff93d70a75e79e0a1 Mon Sep 17 00:00:00 2001
+From: William Dauchy <w.dauchy@criteo.com>
+Date: Fri, 27 Mar 2020 19:56:39 +0100
+Subject: net, ip_tunnel: fix interface lookup with no key
+
+From: William Dauchy <w.dauchy@criteo.com>
+
+commit 25629fdaff2ff509dd0b3f5ff93d70a75e79e0a1 upstream.
+
+when creating a new ipip interface with no local/remote configuration,
+the lookup is done with TUNNEL_NO_KEY flag, making it impossible to
+match the new interface (only possible match being fallback or metada
+case interface); e.g: `ip link add tunl1 type ipip dev eth0`
+
+To fix this case, adding a flag check before the key comparison so we
+permit to match an interface with no local/remote config; it also avoids
+breaking possible userland tools relying on TUNNEL_NO_KEY flag and
+uninitialised key.
+
+context being on my side, I'm creating an extra ipip interface attached
+to the physical one, and moving it to a dedicated namespace.
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: William Dauchy <w.dauchy@criteo.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_tunnel.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -142,11 +142,8 @@ struct ip_tunnel *ip_tunnel_lookup(struc
+ cand = t;
+ }
+
+- if (flags & TUNNEL_NO_KEY)
+- goto skip_key_lookup;
+-
+ hlist_for_each_entry_rcu(t, head, hash_node) {
+- if (t->parms.i_key != key ||
++ if ((!(flags & TUNNEL_NO_KEY) && t->parms.i_key != key) ||
+ t->parms.iph.saddr != 0 ||
+ t->parms.iph.daddr != 0 ||
+ !(t->dev->flags & IFF_UP))
+@@ -158,7 +155,6 @@ struct ip_tunnel *ip_tunnel_lookup(struc
+ cand = t;
+ }
+
+-skip_key_lookup:
+ if (cand)
+ return cand;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
