From: Richard Weinberger <richard@nod.at> mainline inclusion from mainline-v6.12-rc3 commit fe051552f5078fa02d593847529a3884305a6ffe category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBHWWI CVE: CVE-2024-57850 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The fix for a memory corruption contained a off-by-one error and caused the compressor to fail in legit cases. Cc: Kinsey Moore <kinsey.moore@oarcorp.com> Cc: stable@vger.kernel.org Fixes: fe051552f5078 ("jffs2: Prevent rtime decompress memory corruption") Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com> --- fs/jffs2/compr_rtime.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c index 2b9ef713b844..3bd9d2f3bece 100644 --- a/fs/jffs2/compr_rtime.c +++ b/fs/jffs2/compr_rtime.c @@ -95,7 +95,7 @@ static int jffs2_rtime_decompress(unsigned char *data_in, positions[value]=outpos; if (repeat) { - if ((outpos + repeat) >= destlen) { + if ((outpos + repeat) > destlen) { return 1; } if (backoffs + repeat >= outpos) { -- 2.39.2