From: Namjae Jeon namjae.jeon@samsung.com
mainline inclusion from mainline-5.15-rc1 commit 2ae1a6cc43027d84e33819ac4376c5e5e11b4152 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA
Reference: https://git.kernel.org/torvalds/linux/c/2ae1a6cc4302
-------------------------------
If *pos or *pos + count is greater than v_len, It will read beyond the stream_buf buffer. This patch add the check and cut down count with size of the buffer.
Signed-off-by: Namjae Jeon namjae.jeon@samsung.com Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- fs/cifsd/vfs.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/cifsd/vfs.c b/fs/cifsd/vfs.c index 56b1091473b9..9111b485d611 100644 --- a/fs/cifsd/vfs.c +++ b/fs/cifsd/vfs.c @@ -285,9 +285,19 @@ static int ksmbd_vfs_stream_read(struct ksmbd_file *fp, char *buf, loff_t *pos, if ((int)v_len <= 0) return (int)v_len;
+ if (v_len <= *pos) { + count = -EINVAL; + goto free_buf; + } + + if (v_len - *pos < count) + count = v_len - *pos; + memcpy(buf, &stream_buf[*pos], count); + +free_buf: kvfree(stream_buf); - return v_len > count ? count : v_len; + return count; }
/**