From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Dec 2024 11:48:01 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.19.325~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=623807801fb9e106de24e395c7996c992960cdb7;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	lib-string_helpers-silence-snprintf-output-truncation-warning.patch
	nfsd-prevent-a-potential-integer-overflow.patch
---

diff --git a/queue-4.19/lib-string_helpers-silence-snprintf-output-truncation-warning.patch b/queue-4.19/lib-string_helpers-silence-snprintf-output-truncation-warning.patch
new file mode 100644
index 00000000000..50a3d122196
--- /dev/null
+++ b/queue-4.19/lib-string_helpers-silence-snprintf-output-truncation-warning.patch
@@ -0,0 +1,40 @@
+From a508ef4b1dcc82227edc594ffae583874dd425d7 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Fri, 1 Nov 2024 21:54:53 +0100
+Subject: lib: string_helpers: silence snprintf() output truncation warning
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit a508ef4b1dcc82227edc594ffae583874dd425d7 upstream.
+
+The output of ".%03u" with the unsigned int in range [0, 4294966295] may
+get truncated if the target buffer is not 12 bytes. This can't really
+happen here as the 'remainder' variable cannot exceed 999 but the
+compiler doesn't know it. To make it happy just increase the buffer to
+where the warning goes away.
+
+Fixes: 3c9f3681d0b4 ("[SCSI] lib: add generic helper to print sizes rounded to the correct SI range")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20241101205453.9353-1-brgl@bgdev.pl
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/string_helpers.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/string_helpers.c
++++ b/lib/string_helpers.c
+@@ -50,7 +50,7 @@ void string_get_size(u64 size, u64 blk_s
+ 	static const unsigned int rounding[] = { 500, 50, 5 };
+ 	int i = 0, j;
+ 	u32 remainder = 0, sf_cap;
+-	char tmp[8];
++	char tmp[12];
+ 	const char *unit;
+ 
+ 	tmp[0] = '\0';
diff --git a/queue-4.19/nfsd-prevent-a-potential-integer-overflow.patch b/queue-4.19/nfsd-prevent-a-potential-integer-overflow.patch
new file mode 100644
index 00000000000..5eafbb2e213
--- /dev/null
+++ b/queue-4.19/nfsd-prevent-a-potential-integer-overflow.patch
@@ -0,0 +1,50 @@
+From 7f33b92e5b18e904a481e6e208486da43e4dc841 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 17 Sep 2024 12:15:23 -0400
+Subject: NFSD: Prevent a potential integer overflow
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream.
+
+If the tag length is >= U32_MAX - 3 then the "length + 4" addition
+can result in an integer overflow. Address this by splitting the
+decoding into several steps so that decode_cb_compound4res() does
+not have to perform arithmetic on the unsafe length value.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4callback.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -283,17 +283,17 @@ static int decode_cb_compound4res(struct
+ 	u32 length;
+ 	__be32 *p;
+ 
+-	p = xdr_inline_decode(xdr, 4 + 4);
++	p = xdr_inline_decode(xdr, XDR_UNIT);
+ 	if (unlikely(p == NULL))
+ 		goto out_overflow;
+-	hdr->status = be32_to_cpup(p++);
++	hdr->status = be32_to_cpup(p);
+ 	/* Ignore the tag */
+-	length = be32_to_cpup(p++);
+-	p = xdr_inline_decode(xdr, length + 4);
+-	if (unlikely(p == NULL))
++	if (xdr_stream_decode_u32(xdr, &length) < 0)
++		goto out_overflow;
++	if (xdr_inline_decode(xdr, length) == NULL)
++		goto out_overflow;
++	if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0)
+ 		goto out_overflow;
+-	p += XDR_QUADLEN(length);
+-	hdr->nops = be32_to_cpup(p);
+ 	return 0;
+ out_overflow:
+ 	return -EIO;
diff --git a/queue-4.19/series b/queue-4.19/series
index 4a9a87aaf07..f1bcc71a740 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -122,3 +122,5 @@ block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch
 hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch
 media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch
 usb-dwc3-gadget-fix-checking-for-number-of-trbs-left.patch
+lib-string_helpers-silence-snprintf-output-truncation-warning.patch
+nfsd-prevent-a-potential-integer-overflow.patch