From c273c90c2c196d63a000eb83bea0b51c09af0e5d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 7 Jan 2023 10:26:58 +0100 Subject: [PATCH] 6.0-stable patches added patches: cifs-prevent-copying-past-input-buffer-boundaries.patch --- ...copying-past-input-buffer-boundaries.patch | 42 +++++++++++++++++++ queue-6.0/series | 1 + 2 files changed, 43 insertions(+) create mode 100644 queue-6.0/cifs-prevent-copying-past-input-buffer-boundaries.patch diff --git a/queue-6.0/cifs-prevent-copying-past-input-buffer-boundaries.patch b/queue-6.0/cifs-prevent-copying-past-input-buffer-boundaries.patch new file mode 100644 index 00000000000..bda93f42eaa --- /dev/null +++ b/queue-6.0/cifs-prevent-copying-past-input-buffer-boundaries.patch @@ -0,0 +1,42 @@ +From 9ee2afe5207b63b20426ee081f486d831bae871d Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 6 Oct 2022 13:04:05 -0300 +Subject: cifs: prevent copying past input buffer boundaries + +From: Paulo Alcantara + +commit 9ee2afe5207b63b20426ee081f486d831bae871d upstream. + +Prevent copying past @data buffer in smb2_validate_and_copy_iov() as +the output buffer in @iov might be potentially bigger and thus copying +more bytes than requested in @minbufsize. + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Cc: Georg Müller +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3481,7 +3481,7 @@ smb2_validate_and_copy_iov(unsigned int + if (rc) + return rc; + +- memcpy(data, begin_of_buf, buffer_length); ++ memcpy(data, begin_of_buf, minbufsize); + + return 0; + } +@@ -3605,7 +3605,7 @@ query_info(const unsigned int xid, struc + + rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset), + le32_to_cpu(rsp->OutputBufferLength), +- &rsp_iov, min_len, *data); ++ &rsp_iov, dlen ? *dlen : min_len, *data); + if (rc && allocated) { + kfree(*data); + *data = NULL; diff --git a/queue-6.0/series b/queue-6.0/series index 917bfb9a79a..7a96bd03658 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -174,3 +174,4 @@ drm-amd-pm-add-missing-smu13.0.0-mm_dpm-feature-mapping.patch drm-amd-pm-add-missing-smu13.0.7-mm_dpm-feature-mapping.patch drm-amd-pm-bump-smu13.0.0-driver_if-header-to-version-0x34.patch drm-amd-pm-correct-the-fan-speed-retrieving-in-pwm-for-some-smu13-asics.patch +cifs-prevent-copying-past-input-buffer-boundaries.patch -- 2.47.3