From patchwork Thu Aug 17 21:33:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1822552
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=U0tJXTar;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RRdXf6d7Tz1ygH
	for <incoming@patchwork.ozlabs.org>; Fri, 18 Aug 2023 07:33:21 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qWkcC-0002TE-5u; Thu, 17 Aug 2023 21:33:12 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1qWkc7-0002S0-Dr
 for kernel-team@lists.ubuntu.com; Thu, 17 Aug 2023 21:33:07 +0000
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 47C553F0E1
 for <kernel-team@lists.ubuntu.com>; Thu, 17 Aug 2023 21:33:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1692307987;
 bh=osSrDrG2B35ytzcGPNIIksHwO82E5DTl7RfLbL1qAs8=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=U0tJXTarWyLa4DlHV86ueZ6aETIcqsUdJcucE0sNup/SEX3bKzJm58+fKe72UQryb
 mNL9a0pogP+H5ldWAO/q6916IyA/3TvO7xH2ul5geNzWMdyxEGyYh1hBzSk7tpr27a
 RUaLkZ9/1Vj94enHltq/4TEuEUPQoDDaVvX5PaZ2MJmKMdPU6Qktu/hnKkJKSk420L
 TWjK3XLB5hQiYkSRt1942ce4yzG/ZBb0nlL0u24aEhXXiLWEwnox5Io4BLUVnoD1bz
 qrLtYcHrYmd4vH96hlVnwHsSoNz+97uCmBEhUt0mLfZTdXpb/DFRrJYMvCpe1DL7HI
 mTGG38cdRr2eA==
Received: by mail-qv1-f72.google.com with SMTP id
 6a1803df08f44-63d1695e445so1923786d6.2
 for <kernel-team@lists.ubuntu.com>; Thu, 17 Aug 2023 14:33:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1692307986; x=1692912786;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=osSrDrG2B35ytzcGPNIIksHwO82E5DTl7RfLbL1qAs8=;
 b=T7XuHL3RP6Va6wf3Coi8GIHrw8NvLKlksOz13x5lbMi+olq7nYuEHCFk2vQYXfMoFb
 /K3wAKVhWTLb3ZYy5DH1cq0nZa10DUzWfyF1Mu6LCWz5Vt0/tMKTp7RHIx4vwOdJKGyq
 LQgIcFW65IvgArZhHmYFvBGGWJQVDWjp8nWZQqit1kPxCxh4xUPP+YOzih6lF71UEt6y
 NFsB+gnBRR6bgxpWqGnjqib6Uf7VwBBS1TCcI0WNwbgOWk0Ebs0OjvCahCrsjtdZR8q5
 xXCSphQu4ch4orL1eGI60QL9Phgy+zFtGQ2kChIjr8BFOeN3WaWvwg14M0DUr9JvCJXb
 l18g==
X-Gm-Message-State: AOJu0YyKntxN3n92a6JUy2EqB7/EqtD7jpuhvxDj6Pl472JtZrrFQa5X
 EIcUOwqEfpPTcGEV3MS+Um9dShZmQe/cD4DOq3Murjm4KpkjqYG5Prf2WbhQQLTrNfI1Ag3WkUY
 vUBVcmXWxHBEyqU9yHAeONwmdqT13jXVQR1b3gMPqFHtfh5eOAA==
X-Received: by 2002:a0c:eb8f:0:b0:641:8d74:7af6 with SMTP id
 x15-20020a0ceb8f000000b006418d747af6mr911236qvo.28.1692307985929;
 Thu, 17 Aug 2023 14:33:05 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGnW3YnJfDYMJ8qFUn/tCu0fsA2F18a9Fp8mYid8X4HMXHuxZnsWOIWWqTqxBtEybwKGAXb+w==
X-Received: by 2002:a0c:eb8f:0:b0:641:8d74:7af6 with SMTP id
 x15-20020a0ceb8f000000b006418d747af6mr911222qvo.28.1692307985644;
 Thu, 17 Aug 2023 14:33:05 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:ce4b:53ba:7c47:4801])
 by smtp.gmail.com with ESMTPSA id
 a9-20020a0ce349000000b0063d7740b5d2sm167509qvm.46.2023.08.17.14.33.05
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 17 Aug 2023 14:33:05 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy/Jammy-OEM-6.0/Jammy-OEM-6.1][PATCH 1/1] exfat: check if
 filename entries exceeds max filename length
Date: Thu, 17 Aug 2023 17:33:01 -0400
Message-Id: <20230817213302.51341-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230817213302.51341-1-yuxuan.luo@canonical.com>
References: <20230817213302.51341-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Namjae Jeon <linkinjeon@kernel.org>

exfat_extract_uni_name copies characters from a given file name entry into
the 'uniname' variable. This variable is actually defined on the stack of
the exfat_readdir() function. According to the definition of
the 'exfat_uni_name' type, the file name should be limited 255 characters
(+ null teminator space), but the exfat_get_uniname_from_ext_entry()
function can write more characters because there is no check if filename
entries exceeds max filename length. This patch add the check not to copy
filename characters when exceeding max filename length.

Cc: stable@vger.kernel.org
Cc: Yuezhang Mo <Yuezhang.Mo@sony.com>
Reported-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
(backported from commit d42334578eba1390859012ebb91e1e556d51db49)
[yuxuan.luo: manually backported]
CVE-2023-4273
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 fs/exfat/dir.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c
index 3940a56902dd..2080eb92f0a9 100644
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -34,6 +34,7 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 {
 	int i;
 	struct exfat_entry_set_cache *es;
+	unsigned int uni_len = 0, len;
 
 	es = exfat_get_dentry_set(sb, p_dir, entry, ES_ALL_ENTRIES);
 	if (!es)
@@ -52,7 +53,10 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 		if (exfat_get_entry_type(ep) != TYPE_EXTEND)
 			break;
 
-		exfat_extract_uni_name(ep, uniname);
+		len = exfat_extract_uni_name(ep, uniname);
+		uni_len += len;
+		if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)
+			break;
 		uniname += EXFAT_FILE_NAME_LEN;
 	}
 
@@ -1035,7 +1039,8 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
 			if (entry_type == TYPE_EXTEND) {
 				unsigned short entry_uniname[16], unichar;
 
-				if (step != DIRENT_STEP_NAME) {
+				if (step != DIRENT_STEP_NAME ||
+				    name_len >= MAX_NAME_LENGTH) {
 					step = DIRENT_STEP_FILE;
 					continue;
 				}