From: Sasha Levin Date: Thu, 19 Sep 2024 00:08:29 +0000 (-0400) Subject: Drop ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch X-Git-Tag: v6.1.112~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7577d7f633c4a025f123348dbc06f4cc383b0311;p=thirdparty%2Fkernel%2Fstable-queue.git Drop ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-4.19/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch deleted file mode 100644 index 456237d9f35..00000000000 --- a/queue-4.19/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001 -From: Ferry Meng -Date: Mon, 20 May 2024 10:40:24 +0800 -Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() - -From: Ferry Meng - -commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream. - -xattr in ocfs2 maybe 'non-indexed', which saved with additional space -requested. It's better to check if the memory is out of bound before -memcmp, although this possibility mainly comes from crafted poisonous -images. - -Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com -Signed-off-by: Ferry Meng -Signed-off-by: Joseph Qi -Reported-by: lei lu -Reviewed-by: Joseph Qi -Cc: Changwei Ge -Cc: Gang He -Cc: Joel Becker -Cc: Jun Piao -Cc: Junxiao Bi -Cc: Mark Fasheh -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/xattr.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1082,7 +1082,7 @@ static int ocfs2_xattr_find_entry(int na - { - struct ocfs2_xattr_entry *entry; - size_t name_len; -- int i, cmp = 1; -+ int i, name_offset, cmp = 1; - - if (name == NULL) - return -EINVAL; -@@ -1093,10 +1093,15 @@ static int ocfs2_xattr_find_entry(int na - cmp = name_index - ocfs2_xattr_get_type(entry); - if (!cmp) - cmp = name_len - entry->xe_name_len; -- if (!cmp) -- cmp = memcmp(name, (xs->base + -- le16_to_cpu(entry->xe_name_offset)), -- name_len); -+ if (!cmp) { -+ name_offset = le16_to_cpu(entry->xe_name_offset); -+ if ((xs->base + name_offset + name_len) > xs->end) { -+ ocfs2_error(inode->i_sb, -+ "corrupted xattr entries"); -+ return -EFSCORRUPTED; -+ } -+ cmp = memcmp(name, (xs->base + name_offset), name_len); -+ } - if (cmp == 0) - break; - entry += 1; diff --git a/queue-4.19/series b/queue-4.19/series index f82422bd069..9ccee0e6e49 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -12,4 +12,3 @@ net-dpaa-pad-packets-to-eth_zlen.patch soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch selftests-vm-remove-call-to-ksft_set_plan.patch selftests-kcmp-remove-call-to-ksft_set_plan.patch -ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch diff --git a/queue-5.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-5.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch deleted file mode 100644 index 71f4312d5c3..00000000000 --- a/queue-5.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001 -From: Ferry Meng -Date: Mon, 20 May 2024 10:40:24 +0800 -Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() - -From: Ferry Meng - -commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream. - -xattr in ocfs2 maybe 'non-indexed', which saved with additional space -requested. It's better to check if the memory is out of bound before -memcmp, although this possibility mainly comes from crafted poisonous -images. - -Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com -Signed-off-by: Ferry Meng -Signed-off-by: Joseph Qi -Reported-by: lei lu -Reviewed-by: Joseph Qi -Cc: Changwei Ge -Cc: Gang He -Cc: Joel Becker -Cc: Jun Piao -Cc: Junxiao Bi -Cc: Mark Fasheh -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/xattr.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1074,7 +1074,7 @@ static int ocfs2_xattr_find_entry(int na - { - struct ocfs2_xattr_entry *entry; - size_t name_len; -- int i, cmp = 1; -+ int i, name_offset, cmp = 1; - - if (name == NULL) - return -EINVAL; -@@ -1085,10 +1085,15 @@ static int ocfs2_xattr_find_entry(int na - cmp = name_index - ocfs2_xattr_get_type(entry); - if (!cmp) - cmp = name_len - entry->xe_name_len; -- if (!cmp) -- cmp = memcmp(name, (xs->base + -- le16_to_cpu(entry->xe_name_offset)), -- name_len); -+ if (!cmp) { -+ name_offset = le16_to_cpu(entry->xe_name_offset); -+ if ((xs->base + name_offset + name_len) > xs->end) { -+ ocfs2_error(inode->i_sb, -+ "corrupted xattr entries"); -+ return -EFSCORRUPTED; -+ } -+ cmp = memcmp(name, (xs->base + name_offset), name_len); -+ } - if (cmp == 0) - break; - entry += 1; diff --git a/queue-5.10/series b/queue-5.10/series index d61e95a132a..fdaa0d5ae37 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -26,4 +26,3 @@ spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch asoc-meson-axg-card-fix-use-after-free.patch dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch -ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch diff --git a/queue-5.15/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-5.15/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch deleted file mode 100644 index 03d487fc92b..00000000000 --- a/queue-5.15/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001 -From: Ferry Meng -Date: Mon, 20 May 2024 10:40:24 +0800 -Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() - -From: Ferry Meng - -commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream. - -xattr in ocfs2 maybe 'non-indexed', which saved with additional space -requested. It's better to check if the memory is out of bound before -memcmp, although this possibility mainly comes from crafted poisonous -images. - -Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com -Signed-off-by: Ferry Meng -Signed-off-by: Joseph Qi -Reported-by: lei lu -Reviewed-by: Joseph Qi -Cc: Changwei Ge -Cc: Gang He -Cc: Joel Becker -Cc: Jun Piao -Cc: Junxiao Bi -Cc: Mark Fasheh -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/xattr.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1072,7 +1072,7 @@ static int ocfs2_xattr_find_entry(int na - { - struct ocfs2_xattr_entry *entry; - size_t name_len; -- int i, cmp = 1; -+ int i, name_offset, cmp = 1; - - if (name == NULL) - return -EINVAL; -@@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(int na - cmp = name_index - ocfs2_xattr_get_type(entry); - if (!cmp) - cmp = name_len - entry->xe_name_len; -- if (!cmp) -- cmp = memcmp(name, (xs->base + -- le16_to_cpu(entry->xe_name_offset)), -- name_len); -+ if (!cmp) { -+ name_offset = le16_to_cpu(entry->xe_name_offset); -+ if ((xs->base + name_offset + name_len) > xs->end) { -+ ocfs2_error(inode->i_sb, -+ "corrupted xattr entries"); -+ return -EFSCORRUPTED; -+ } -+ cmp = memcmp(name, (xs->base + name_offset), name_len); -+ } - if (cmp == 0) - break; - entry += 1; diff --git a/queue-5.15/series b/queue-5.15/series index 14bffad7b04..b777983bcd5 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -42,4 +42,3 @@ spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch asoc-meson-axg-card-fix-use-after-free.patch -ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch diff --git a/queue-5.4/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-5.4/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch deleted file mode 100644 index 71f4312d5c3..00000000000 --- a/queue-5.4/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001 -From: Ferry Meng -Date: Mon, 20 May 2024 10:40:24 +0800 -Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() - -From: Ferry Meng - -commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream. - -xattr in ocfs2 maybe 'non-indexed', which saved with additional space -requested. It's better to check if the memory is out of bound before -memcmp, although this possibility mainly comes from crafted poisonous -images. - -Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com -Signed-off-by: Ferry Meng -Signed-off-by: Joseph Qi -Reported-by: lei lu -Reviewed-by: Joseph Qi -Cc: Changwei Ge -Cc: Gang He -Cc: Joel Becker -Cc: Jun Piao -Cc: Junxiao Bi -Cc: Mark Fasheh -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/xattr.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1074,7 +1074,7 @@ static int ocfs2_xattr_find_entry(int na - { - struct ocfs2_xattr_entry *entry; - size_t name_len; -- int i, cmp = 1; -+ int i, name_offset, cmp = 1; - - if (name == NULL) - return -EINVAL; -@@ -1085,10 +1085,15 @@ static int ocfs2_xattr_find_entry(int na - cmp = name_index - ocfs2_xattr_get_type(entry); - if (!cmp) - cmp = name_len - entry->xe_name_len; -- if (!cmp) -- cmp = memcmp(name, (xs->base + -- le16_to_cpu(entry->xe_name_offset)), -- name_len); -+ if (!cmp) { -+ name_offset = le16_to_cpu(entry->xe_name_offset); -+ if ((xs->base + name_offset + name_len) > xs->end) { -+ ocfs2_error(inode->i_sb, -+ "corrupted xattr entries"); -+ return -EFSCORRUPTED; -+ } -+ cmp = memcmp(name, (xs->base + name_offset), name_len); -+ } - if (cmp == 0) - break; - entry += 1; diff --git a/queue-5.4/series b/queue-5.4/series index 4353fbe640b..c574edd8c6e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -10,4 +10,3 @@ net-dpaa-pad-packets-to-eth_zlen.patch spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch selftests-breakpoints-fix-a-typo-of-function-name.patch -ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch diff --git a/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch deleted file mode 100644 index 03d487fc92b..00000000000 --- a/queue-6.1/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001 -From: Ferry Meng -Date: Mon, 20 May 2024 10:40:24 +0800 -Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() - -From: Ferry Meng - -commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream. - -xattr in ocfs2 maybe 'non-indexed', which saved with additional space -requested. It's better to check if the memory is out of bound before -memcmp, although this possibility mainly comes from crafted poisonous -images. - -Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com -Signed-off-by: Ferry Meng -Signed-off-by: Joseph Qi -Reported-by: lei lu -Reviewed-by: Joseph Qi -Cc: Changwei Ge -Cc: Gang He -Cc: Joel Becker -Cc: Jun Piao -Cc: Junxiao Bi -Cc: Mark Fasheh -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/xattr.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1072,7 +1072,7 @@ static int ocfs2_xattr_find_entry(int na - { - struct ocfs2_xattr_entry *entry; - size_t name_len; -- int i, cmp = 1; -+ int i, name_offset, cmp = 1; - - if (name == NULL) - return -EINVAL; -@@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(int na - cmp = name_index - ocfs2_xattr_get_type(entry); - if (!cmp) - cmp = name_len - entry->xe_name_len; -- if (!cmp) -- cmp = memcmp(name, (xs->base + -- le16_to_cpu(entry->xe_name_offset)), -- name_len); -+ if (!cmp) { -+ name_offset = le16_to_cpu(entry->xe_name_offset); -+ if ((xs->base + name_offset + name_len) > xs->end) { -+ ocfs2_error(inode->i_sb, -+ "corrupted xattr entries"); -+ return -EFSCORRUPTED; -+ } -+ cmp = memcmp(name, (xs->base + name_offset), name_len); -+ } - if (cmp == 0) - break; - entry += 1; diff --git a/queue-6.1/series b/queue-6.1/series index 53281433b5d..e69de29bb2d 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -1 +0,0 @@ -ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch diff --git a/queue-6.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-6.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch deleted file mode 100644 index be0e929aa73..00000000000 --- a/queue-6.10/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001 -From: Ferry Meng -Date: Mon, 20 May 2024 10:40:24 +0800 -Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() - -From: Ferry Meng - -commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream. - -xattr in ocfs2 maybe 'non-indexed', which saved with additional space -requested. It's better to check if the memory is out of bound before -memcmp, although this possibility mainly comes from crafted poisonous -images. - -Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com -Signed-off-by: Ferry Meng -Signed-off-by: Joseph Qi -Reported-by: lei lu -Reviewed-by: Joseph Qi -Cc: Changwei Ge -Cc: Gang He -Cc: Joel Becker -Cc: Jun Piao -Cc: Junxiao Bi -Cc: Mark Fasheh -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/xattr.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1068,7 +1068,7 @@ static int ocfs2_xattr_find_entry(int na - { - struct ocfs2_xattr_entry *entry; - size_t name_len; -- int i, cmp = 1; -+ int i, name_offset, cmp = 1; - - if (name == NULL) - return -EINVAL; -@@ -1079,10 +1079,15 @@ static int ocfs2_xattr_find_entry(int na - cmp = name_index - ocfs2_xattr_get_type(entry); - if (!cmp) - cmp = name_len - entry->xe_name_len; -- if (!cmp) -- cmp = memcmp(name, (xs->base + -- le16_to_cpu(entry->xe_name_offset)), -- name_len); -+ if (!cmp) { -+ name_offset = le16_to_cpu(entry->xe_name_offset); -+ if ((xs->base + name_offset + name_len) > xs->end) { -+ ocfs2_error(inode->i_sb, -+ "corrupted xattr entries"); -+ return -EFSCORRUPTED; -+ } -+ cmp = memcmp(name, (xs->base + name_offset), name_len); -+ } - if (cmp == 0) - break; - entry += 1; diff --git a/queue-6.10/series b/queue-6.10/series index 53281433b5d..e69de29bb2d 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -1 +0,0 @@ -ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch diff --git a/queue-6.6/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch b/queue-6.6/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch deleted file mode 100644 index be0e929aa73..00000000000 --- a/queue-6.6/ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af77c4fc1871847b528d58b7fdafb4aa1f6a9262 Mon Sep 17 00:00:00 2001 -From: Ferry Meng -Date: Mon, 20 May 2024 10:40:24 +0800 -Subject: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() - -From: Ferry Meng - -commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 upstream. - -xattr in ocfs2 maybe 'non-indexed', which saved with additional space -requested. It's better to check if the memory is out of bound before -memcmp, although this possibility mainly comes from crafted poisonous -images. - -Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com -Signed-off-by: Ferry Meng -Signed-off-by: Joseph Qi -Reported-by: lei lu -Reviewed-by: Joseph Qi -Cc: Changwei Ge -Cc: Gang He -Cc: Joel Becker -Cc: Jun Piao -Cc: Junxiao Bi -Cc: Mark Fasheh -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/xattr.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1068,7 +1068,7 @@ static int ocfs2_xattr_find_entry(int na - { - struct ocfs2_xattr_entry *entry; - size_t name_len; -- int i, cmp = 1; -+ int i, name_offset, cmp = 1; - - if (name == NULL) - return -EINVAL; -@@ -1079,10 +1079,15 @@ static int ocfs2_xattr_find_entry(int na - cmp = name_index - ocfs2_xattr_get_type(entry); - if (!cmp) - cmp = name_len - entry->xe_name_len; -- if (!cmp) -- cmp = memcmp(name, (xs->base + -- le16_to_cpu(entry->xe_name_offset)), -- name_len); -+ if (!cmp) { -+ name_offset = le16_to_cpu(entry->xe_name_offset); -+ if ((xs->base + name_offset + name_len) > xs->end) { -+ ocfs2_error(inode->i_sb, -+ "corrupted xattr entries"); -+ return -EFSCORRUPTED; -+ } -+ cmp = memcmp(name, (xs->base + name_offset), name_len); -+ } - if (cmp == 0) - break; - entry += 1; diff --git a/queue-6.6/series b/queue-6.6/series index 53281433b5d..e69de29bb2d 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1 +0,0 @@ -ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch