Patch "vfs: fs_context: fix up param length parsing in legacy_parse_param" has been added to the 5.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Tue, 18 Jan 2022 09:21:46 +0100

This is a note to let you know that I've just added the patch titled

    vfs: fs_context: fix up param length parsing in legacy_parse_param

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vfs-fs_context-fix-up-param-length-parsing-in-legacy_parse_param.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 722d94847de29310e8aa03fcbdb41fc92c521756 Mon Sep 17 00:00:00 2001
From: Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx>
Date: Tue, 18 Jan 2022 08:06:04 +0100
Subject: vfs: fs_context: fix up param length parsing in legacy_parse_param

From: Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx>

commit 722d94847de29310e8aa03fcbdb41fc92c521756 upstream.

The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an
unsigned type so a large value of "size" results in a high positive
value instead of a negative value as expected.  Fix this by getting rid
of the subtraction.

Signed-off-by: Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx>
Signed-off-by: William Liu <willsroot@xxxxxxxxxxxxxx>
Tested-by: Salvatore Bonaccorso <carnil@xxxxxxxxxx>
Tested-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
Acked-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/fs_context.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -585,7 +585,7 @@ static int legacy_parse_param(struct fs_
 			      param->key);
 	}
 
-	if (len > PAGE_SIZE - 2 - size)
+	if (size + len + 2 > PAGE_SIZE)
 		return invalf(fc, "VFS: Legacy: Cumulative options too large");
 	if (strchr(param->key, ',') ||
 	    (param->type == fs_value_is_string &&


Patches currently in stable-queue which might be from jamie@xxxxxxxxxxxxxxxxx are

queue-5.4/vfs-fs_context-fix-up-param-length-parsing-in-legacy_parse_param.patch






