diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch new file mode 100644 index 000000000..65fc76942 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch @@ -0,0 +1,55 @@ +From 1142d65c5b881590962ad763f94505b6dd67d2fe Mon Sep 17 00:00:00 2001 +From: Chengming Zhou <zhouchengming@bytedance.com> +Date: Wed, 27 Dec 2023 09:35:23 +0000 +Subject: crypto: scomp - fix req->dst buffer overflow + +[ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ] + +The req->dst buffer size should be checked before copying from the +scomp_scratch->dst to avoid req->dst buffer overflow problem. + +Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") +Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ +Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com> +Reviewed-by: Barry Song <v-songbaohua@oppo.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + crypto/scompress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/scompress.c b/crypto/scompress.c +index 3702f1648ea8c9..34174f55a6d6ed 100644 +--- a/crypto/scompress.c ++++ b/crypto/scompress.c +@@ -132,6 +132,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + struct crypto_scomp *scomp = *tfm_ctx; + void **ctx = acomp_request_ctx(req); + struct scomp_scratch *scratch; ++ unsigned int dlen; + int ret; + + if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) +@@ -143,6 +144,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) + req->dlen = SCOMP_SCRATCH_SIZE; + ++ dlen = req->dlen; ++ + scratch = raw_cpu_ptr(&scomp_scratch); + spin_lock(&scratch->lock); + +@@ -160,6 +163,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + ret = -ENOMEM; + goto out; + } ++ } else if (req->dlen > dlen) { ++ ret = -ENOSPC; ++ goto out; + } + scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, + 1); +-- +cgit 1.2.3-korg + |