Patch "exfat: check if filename entries exceeds max filename length" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 8 Aug 2023 21:46:11 -0400

This is a note to let you know that I've just added the patch titled

    exfat: check if filename entries exceeds max filename length

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     exfat-check-if-filename-entries-exceeds-max-filename.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4abe51e50955e8741a7b7537879b829fdcfb5675
Author: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date:   Thu Jul 13 21:59:37 2023 +0900

    exfat: check if filename entries exceeds max filename length
    
    [ Upstream commit d42334578eba1390859012ebb91e1e556d51db49 ]
    
    exfat_extract_uni_name copies characters from a given file name entry into
    the 'uniname' variable. This variable is actually defined on the stack of
    the exfat_readdir() function. According to the definition of
    the 'exfat_uni_name' type, the file name should be limited 255 characters
    (+ null teminator space), but the exfat_get_uniname_from_ext_entry()
    function can write more characters because there is no check if filename
    entries exceeds max filename length. This patch add the check not to copy
    filename characters when exceeding max filename length.
    
    Cc: stable@xxxxxxxxxxxxxxx
    Cc: Yuezhang Mo <Yuezhang.Mo@xxxxxxxx>
    Reported-by: Maxim Suhanov <dfirblog@xxxxxxxxx>
    Reviewed-by: Sungjong Seo <sj1557.seo@xxxxxxxxxxx>
    Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c
index 78de6f67f882d..51b03b0dd5f75 100644
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -34,6 +34,7 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 {
 	int i;
 	struct exfat_entry_set_cache *es;
+	unsigned int uni_len = 0, len;
 
 	es = exfat_get_dentry_set(sb, p_dir, entry, ES_ALL_ENTRIES);
 	if (!es)
@@ -52,7 +53,10 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
 		if (exfat_get_entry_type(ep) != TYPE_EXTEND)
 			break;
 
-		exfat_extract_uni_name(ep, uniname);
+		len = exfat_extract_uni_name(ep, uniname);
+		uni_len += len;
+		if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)
+			break;
 		uniname += EXFAT_FILE_NAME_LEN;
 	}
 
@@ -1024,7 +1028,8 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
 			if (entry_type == TYPE_EXTEND) {
 				unsigned short entry_uniname[16], unichar;
 
-				if (step != DIRENT_STEP_NAME) {
+				if (step != DIRENT_STEP_NAME ||
+				    name_len >= MAX_NAME_LENGTH) {
 					step = DIRENT_STEP_FILE;
 					continue;
 				}






