From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Aug 2023 16:46:13 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v6.4.12~29
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fd10a4d350ae587ed907b29b3b4315e69dd9e9e0;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	exfat-check-if-filename-entries-exceeds-max-filename-length.patch
---

diff --git a/queue-5.15/exfat-check-if-filename-entries-exceeds-max-filename-length.patch b/queue-5.15/exfat-check-if-filename-entries-exceeds-max-filename-length.patch
new file mode 100644
index 00000000000..7ef1a69bf3d
--- /dev/null
+++ b/queue-5.15/exfat-check-if-filename-entries-exceeds-max-filename-length.patch
@@ -0,0 +1,63 @@
+From d42334578eba1390859012ebb91e1e556d51db49 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 13 Jul 2023 21:59:37 +0900
+Subject: exfat: check if filename entries exceeds max filename length
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit d42334578eba1390859012ebb91e1e556d51db49 upstream.
+
+exfat_extract_uni_name copies characters from a given file name entry into
+the 'uniname' variable. This variable is actually defined on the stack of
+the exfat_readdir() function. According to the definition of
+the 'exfat_uni_name' type, the file name should be limited 255 characters
+(+ null teminator space), but the exfat_get_uniname_from_ext_entry()
+function can write more characters because there is no check if filename
+entries exceeds max filename length. This patch add the check not to copy
+filename characters when exceeding max filename length.
+
+Cc: stable@vger.kernel.org
+Cc: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Harshit: backport to 5.15.y]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/dir.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/exfat/dir.c
++++ b/fs/exfat/dir.c
+@@ -34,6 +34,7 @@ static void exfat_get_uniname_from_ext_e
+ {
+ 	int i;
+ 	struct exfat_entry_set_cache *es;
++	unsigned int uni_len = 0, len;
+ 
+ 	es = exfat_get_dentry_set(sb, p_dir, entry, ES_ALL_ENTRIES);
+ 	if (!es)
+@@ -52,7 +53,10 @@ static void exfat_get_uniname_from_ext_e
+ 		if (exfat_get_entry_type(ep) != TYPE_EXTEND)
+ 			break;
+ 
+-		exfat_extract_uni_name(ep, uniname);
++		len = exfat_extract_uni_name(ep, uniname);
++		uni_len += len;
++		if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)
++			break;
+ 		uniname += EXFAT_FILE_NAME_LEN;
+ 	}
+ 
+@@ -1032,7 +1036,8 @@ rewind:
+ 			if (entry_type == TYPE_EXTEND) {
+ 				unsigned short entry_uniname[16], unichar;
+ 
+-				if (step != DIRENT_STEP_NAME) {
++				if (step != DIRENT_STEP_NAME ||
++				    name_len >= MAX_NAME_LENGTH) {
+ 					step = DIRENT_STEP_FILE;
+ 					continue;
+ 				}
diff --git a/queue-5.15/series b/queue-5.15/series
index b22697c2dbf..ee479de7090 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -122,3 +122,4 @@ mmc-block-fix-in_flight-value-error.patch
 drm-qxl-fix-uaf-on-handle-creation.patch
 drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch
 netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch
+exfat-check-if-filename-entries-exceeds-max-filename-length.patch