From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Feb 2023 09:46:05 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v5.15.93~24
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0b2924f8abfcf94ed4ef360692f25af6f5fde4f;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	udf-avoid-using-stale-lengthofimpuse.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index 2efd2821dc7..92f91d78a6a 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -79,3 +79,4 @@ squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch
 drm-i915-fix-potential-bit_17-double-free.patch
 nvmem-core-initialise-nvmem-id-early.patch
 nvmem-core-fix-cell-removal-on-error.patch
+udf-avoid-using-stale-lengthofimpuse.patch
diff --git a/queue-5.10/udf-avoid-using-stale-lengthofimpuse.patch b/queue-5.10/udf-avoid-using-stale-lengthofimpuse.patch
new file mode 100644
index 00000000000..3e006f899e2
--- /dev/null
+++ b/queue-5.10/udf-avoid-using-stale-lengthofimpuse.patch
@@ -0,0 +1,61 @@
+From c1ad35dd0548ce947d97aaf92f7f2f9a202951cf Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 10 May 2022 12:36:04 +0200
+Subject: udf: Avoid using stale lengthOfImpUse
+
+From: Jan Kara <jack@suse.cz>
+
+commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream.
+
+udf_write_fi() uses lengthOfImpUse of the entry it is writing to.
+However this field has not yet been initialized so it either contains
+completely bogus value or value from last directory entry at that place.
+In either case this is wrong and can lead to filesystem corruption or
+kernel crashes.
+
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+CC: stable@vger.kernel.org
+Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc")
+Signed-off-by: Jan Kara <jack@suse.cz>
+[ This patch deviates from the original upstream patch because in the
+original upstream patch, udf_get_fi_ident(sfi) was being used instead of
+(uint8_t *)sfi->fileIdent + liu as the first arg to memcpy at line 77
+and line 81. Those subsequent lines have been replaced with what the
+upstream patch passes in to memcpy. ]
+Signed-off-by: Nobel Barakat <nobelbarakat@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/namei.c |    9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -75,12 +75,11 @@ int udf_write_fi(struct inode *inode, st
+ 
+ 	if (fileident) {
+ 		if (adinicb || (offset + lfi < 0)) {
+-			memcpy((uint8_t *)sfi->fileIdent + liu, fileident, lfi);
++			memcpy(sfi->impUse + liu, fileident, lfi);
+ 		} else if (offset >= 0) {
+ 			memcpy(fibh->ebh->b_data + offset, fileident, lfi);
+ 		} else {
+-			memcpy((uint8_t *)sfi->fileIdent + liu, fileident,
+-				-offset);
++			memcpy(sfi->impUse + liu, fileident, -offset);
+ 			memcpy(fibh->ebh->b_data, fileident - offset,
+ 				lfi + offset);
+ 		}
+@@ -89,11 +88,11 @@ int udf_write_fi(struct inode *inode, st
+ 	offset += lfi;
+ 
+ 	if (adinicb || (offset + padlen < 0)) {
+-		memset((uint8_t *)sfi->padding + liu + lfi, 0x00, padlen);
++		memset(sfi->impUse + liu + lfi, 0x00, padlen);
+ 	} else if (offset >= 0) {
+ 		memset(fibh->ebh->b_data + offset, 0x00, padlen);
+ 	} else {
+-		memset((uint8_t *)sfi->padding + liu + lfi, 0x00, -offset);
++		memset(sfi->impUse + liu + lfi, 0x00, -offset);
+ 		memset(fibh->ebh->b_data, 0x00, padlen + offset);
+ 	}
+