Re: Patch "jffs2: Prevent rtime decompress memory corruption" has been added to the 6.6-stable tree

Richard Weinberger <richard@xxxxxx> · Tue, 3 Dec 2024 12:24:24 +0100 (CET)

Dear stable team,

please hold this fix back.
It contains a bug. A followup fix will land soon in master and I'll notify you.

Thanks,
//richard

----- Ursprüngliche Mail -----
> Von: "Greg Kroah-Hartman" <gregkh@xxxxxxxxxxxxxxxxxxx>
> An: "Greg Kroah-Hartman" <gregkh@xxxxxxxxxxxxxxxxxxx>, "Kinsey Moore" <kinsey.moore@xxxxxxxxxxx>, "richard"
> <richard@xxxxxx>
> CC: stable-commits@xxxxxxxxxxxxxxx
> Gesendet: Dienstag, 3. Dezember 2024 11:51:10
> Betreff: Patch "jffs2: Prevent rtime decompress memory corruption" has been added to the 6.6-stable tree

> This is a note to let you know that I've just added the patch titled
> 
>    jffs2: Prevent rtime decompress memory corruption
> 
> to the 6.6-stable tree which can be found at:
>    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>     jffs2-prevent-rtime-decompress-memory-corruption.patch
> and it can be found in the queue-6.6 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@xxxxxxxxxxxxxxx> know about it.
> 
> 
> From fe051552f5078fa02d593847529a3884305a6ffe Mon Sep 17 00:00:00 2001
> From: Kinsey Moore <kinsey.moore@xxxxxxxxxxx>
> Date: Tue, 23 Jul 2024 15:58:05 -0500
> Subject: jffs2: Prevent rtime decompress memory corruption
> 
> From: Kinsey Moore <kinsey.moore@xxxxxxxxxxx>
> 
> commit fe051552f5078fa02d593847529a3884305a6ffe upstream.
> 
> The rtime decompression routine does not fully check bounds during the
> entirety of the decompression pass and can corrupt memory outside the
> decompression buffer if the compressed data is corrupted. This adds the
> required check to prevent this failure mode.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Kinsey Moore <kinsey.moore@xxxxxxxxxxx>
> Signed-off-by: Richard Weinberger <richard@xxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> fs/jffs2/compr_rtime.c |    3 +++
> 1 file changed, 3 insertions(+)
> 
> --- a/fs/jffs2/compr_rtime.c
> +++ b/fs/jffs2/compr_rtime.c
> @@ -95,6 +95,9 @@ static int jffs2_rtime_decompress(unsign
> 
> 		positions[value]=outpos;
> 		if (repeat) {
> +			if ((outpos + repeat) >= destlen) {
> +				return 1;
> +			}
> 			if (backoffs + repeat >= outpos) {
> 				while(repeat) {
> 					cpage_out[outpos++] = cpage_out[backoffs++];
> 
> 
> Patches currently in stable-queue which might be from kinsey.moore@xxxxxxxxxxx
> are
> 
> queue-6.6/jffs2-prevent-rtime-decompress-memory-corruption.patch