From patchwork Thu Aug 17 21:33:02 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1822554
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=r9eMF+im;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RRdXf5pqNz1yZd
	for <incoming@patchwork.ozlabs.org>; Fri, 18 Aug 2023 07:33:21 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qWkc9-0002Sd-Rv; Thu, 17 Aug 2023 21:33:09 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1qWkc8-0002S8-Bt
 for kernel-team@lists.ubuntu.com; Thu, 17 Aug 2023 21:33:08 +0000
Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com
 [209.85.219.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 3519C3F0E1
 for <kernel-team@lists.ubuntu.com>; Thu, 17 Aug 2023 21:33:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1692307988;
 bh=ymBFSvJ9wBP3VBgE2bOdYAKN4IeyaXvfazle3sqPx2E=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=r9eMF+imtuOfieNBHreEYMMXWhXCe7H9IaRAY71JU3lE3OULARC92nP16qMEBfUz+
 cJsMRa8Amr5gTOV99GaWGlmMPuRImZ4fhha/WokVuzosxjZnSCiuvUIjB11CzYDILU
 obLG+8LVcU4hzQ+fiwQ4h1o5me+N4AyvB3A7Q8RcgdthgrdfC+OZeBHkP2KW3XrYKs
 phH+yWfqwNbpZIrZ9l5EGTgBNLy64PcvjG4dN8oucKHaRla1aysg7HCDY+bkhpSKuc
 9gt9pzkQSDiZP0ucfnqaRIKX3H55OR6wdqLqKc4LJhcPIngvQxe+BiCXQaBCGUClWi
 E183+sXlpi1HQ==
Received: by mail-qv1-f69.google.com with SMTP id
 6a1803df08f44-64a459efdbcso1751646d6.3
 for <kernel-team@lists.ubuntu.com>; Thu, 17 Aug 2023 14:33:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1692307986; x=1692912786;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=ymBFSvJ9wBP3VBgE2bOdYAKN4IeyaXvfazle3sqPx2E=;
 b=i5fgok3SVeWJ/RgBchD3R5PV0AM9nwoo4BWDpBJCMLqSCZ3pRgQiaZTfFY6rc1LlFV
 c+fGVkWvXqr/AvYuj74Sgpza5OEU4CDRdsRaJlYMPnolI7g3OFZ5xyM95YiNRy9VOmM5
 OQvnLb1zlbZL7FQy1W30TkgTMEB+ZEqIIfRHVDfUPGSxVK8xIibrEOPiPUCM8Zqx/zyW
 VdelKtdXC380BoIGeyZKY1tgFZzmWymfeu7UyIzKi1BYLA19gtesxbha/vsoato8gVLI
 C6Zx7RqdI/PqbzEkryFeFgPOfKAL1Ebev8eFCsSpB/LWmU53JxINU0uUHGACbU55f1VH
 7HCw==
X-Gm-Message-State: AOJu0YzxaUC0pzrwX9pR6YIRkHOvXsIWhtoitLfOmB7H5EDzQtOvdQJC
 Z3ihmEXkcFQYf8Y+esuJ72+Z+iCgCTjCtLc5wgGKwSytWTg5PnSsfixlYDdD2Tdox3JlSmifYqn
 qshSv0Mx7kBSp6x7YFFooYa6nDlwd3lLemG/P4qaNgMN/rt3ufw==
X-Received: by 2002:a0c:aacf:0:b0:61f:ace6:e94e with SMTP id
 g15-20020a0caacf000000b0061face6e94emr900375qvb.0.1692307986725;
 Thu, 17 Aug 2023 14:33:06 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEodrpeM/WU/4LR8pM8tFIsxQGvZqVHEqZnEOUNfT5SI0VQU7W2aIKuKpnFZEUpzL6NzyryRw==
X-Received: by 2002:a0c:aacf:0:b0:61f:ace6:e94e with SMTP id
 g15-20020a0caacf000000b0061face6e94emr900356qvb.0.1692307986364;
 Thu, 17 Aug 2023 14:33:06 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:ce4b:53ba:7c47:4801])
 by smtp.gmail.com with ESMTPSA id
 a9-20020a0ce349000000b0063d7740b5d2sm167509qvm.46.2023.08.17.14.33.05
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 17 Aug 2023 14:33:05 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Lunar][PATCH 1/1] exfat: check if filename entries exceeds max
 filename length
Date: Thu, 17 Aug 2023 17:33:02 -0400
Message-Id: <20230817213302.51341-3-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230817213302.51341-1-yuxuan.luo@canonical.com>
References: <20230817213302.51341-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Namjae Jeon <linkinjeon@kernel.org>

exfat_extract_uni_name copies characters from a given file name entry into
the 'uniname' variable. This variable is actually defined on the stack of
the exfat_readdir() function. According to the definition of
the 'exfat_uni_name' type, the file name should be limited 255 characters
(+ null teminator space), but the exfat_get_uniname_from_ext_entry()
function can write more characters because there is no check if filename
entries exceeds max filename length. This patch add the check not to copy
filename characters when exceeding max filename length.

Cc: stable@vger.kernel.org
Cc: Yuezhang Mo <Yuezhang.Mo@sony.com>
Reported-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
(cherry picked from commit d42334578eba1390859012ebb91e1e556d51db49)
CVE-2023-4273
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 fs/exfat/dir.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c
index 158427e8124e1..05efd55ccb434 100644
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -34,6 +34,7 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 {
 	int i;
 	struct exfat_entry_set_cache es;
+	unsigned int uni_len = 0, len;
 
 	if (exfat_get_dentry_set(&es, sb, p_dir, entry, ES_ALL_ENTRIES))
 		return;
@@ -51,7 +52,10 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 		if (exfat_get_entry_type(ep) != TYPE_EXTEND)
 			break;
 
-		exfat_extract_uni_name(ep, uniname);
+		len = exfat_extract_uni_name(ep, uniname);
+		uni_len += len;
+		if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)
+			break;
 		uniname += EXFAT_FILE_NAME_LEN;
 	}
 
@@ -1044,7 +1048,8 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
 			if (entry_type == TYPE_EXTEND) {
 				unsigned short entry_uniname[16], unichar;
 
-				if (step != DIRENT_STEP_NAME) {
+				if (step != DIRENT_STEP_NAME ||
+				    name_len >= MAX_NAME_LENGTH) {
 					step = DIRENT_STEP_FILE;
 					continue;
 				}