Commit 9aa81fd4 authored by Kinsey Moore's avatar Kinsey Moore Committed by Yongjian Sun
Browse files

jffs2: Prevent rtime decompress memory corruption 

mainline inclusion
from mainline-v6.12-rc3
commit fe051552f5078fa02d593847529a3884305a6ffe
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBHWWI
CVE: CVE-2024-57850

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe051552f5078fa02d593847529a3884305a6ffe



--------------------------------

The rtime decompression routine does not fully check bounds during the
entirety of the decompression pass and can corrupt memory outside the
decompression buffer if the compressed data is corrupted. This adds the
required check to prevent this failure mode.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarKinsey Moore <kinsey.moore@oarcorp.com>
Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
Signed-off-by: default avatarYongjian Sun <sunyongjian1@huawei.com>
parent 874edbaf

fs/jffs2/compr_rtime.c

+3 −0
Original line number Diff line number Diff line
@@ -95,6 +95,9 @@ static int jffs2_rtime_decompress(unsigned char *data_in, 


		positions[value]=outpos;

		if (repeat) {

			if ((outpos + repeat) >= destlen) {

				return 1;

			}

			if (backoffs + repeat >= outpos) {

				while(repeat) {

					cpage_out[outpos++] = cpage_out[backoffs++];