Commit cf2b2efc authored by Namjae Jeon's avatar Namjae Jeon Committed by ZhaoLong Wang
Browse files

exfat: check if filename entries exceeds max filename length 

stable inclusion
from stable-v5.10.190
commit 381f7df0f3c3bd7dceb3e2b2b64c2f6247e2ac19
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7TLII
CVE: CVE-2023-4273

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=381f7df0f3c3bd7dceb3e2b2b64c2f6247e2ac19



---------------------------

[ Upstream commit d4233457 ]

exfat_extract_uni_name copies characters from a given file name entry into
the 'uniname' variable. This variable is actually defined on the stack of
the exfat_readdir() function. According to the definition of
the 'exfat_uni_name' type, the file name should be limited 255 characters
(+ null teminator space), but the exfat_get_uniname_from_ext_entry()
function can write more characters because there is no check if filename
entries exceeds max filename length. This patch add the check not to copy
filename characters when exceeding max filename length.

Cc: stable@vger.kernel.org
Cc: Yuezhang Mo <Yuezhang.Mo@sony.com>
Reported-by: default avatarMaxim Suhanov <dfirblog@gmail.com>
Reviewed-by: default avatarSungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
parent 8bf7fb5a

fs/exfat/dir.c

+7 −2
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb, 
{

	int i;

	struct exfat_entry_set_cache *es;

	unsigned int uni_len = 0, len;



	es = exfat_get_dentry_set(sb, p_dir, entry, ES_ALL_ENTRIES);

	if (!es)
@@ -51,7 +52,10 @@ static void exfat_get_uniname_from_ext_entry(struct super_block *sb, 
		if (exfat_get_entry_type(ep) != TYPE_EXTEND)

			break;



		exfat_extract_uni_name(ep, uniname);

		len = exfat_extract_uni_name(ep, uniname);

		uni_len += len;

		if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)

			break;

		uniname += EXFAT_FILE_NAME_LEN;

	}
@@ -1026,7 +1030,8 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei, 
			if (entry_type == TYPE_EXTEND) {

				unsigned short entry_uniname[16], unichar;



				if (step != DIRENT_STEP_NAME) {

				if (step != DIRENT_STEP_NAME ||

				    name_len >= MAX_NAME_LENGTH) {

					step = DIRENT_STEP_FILE;

					continue;

				}