[PATCH OLK-6.6 1/1] firewire: nosy: ensure user_length is taken into account when fetching packet contents

From: Thanassis Avgerinos thanassis.avgerinos@gmail.com

mainline inclusion from mainline-v6.9-rc7 commit 38762a0763c10c24a4915feee722d7aa6e73eb98 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9OZA3 CVE: CVE-2024-27401

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.

Ensure that packet_buffer_get respects the user_length provided. If the length of the head packet exceeds the user_length, packet_buffer_get will now return 0 to signify to the user that no data were read and a larger buffer size is required. Helps prevent user space overflows.

Signed-off-by: Thanassis Avgerinos thanassis.avgerinos@gmail.com Signed-off-by: Takashi Sakamoto o-takashi@sakamocchi.jp Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Hongbo Li lihongbo22@huawei.com --- drivers/firewire/nosy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c index b0d671db178a..ea31ac7ac1ca 100644 --- a/drivers/firewire/nosy.c +++ b/drivers/firewire/nosy.c @@ -148,10 +148,12 @@ packet_buffer_get(struct client *client, char __user *data, size_t user_length) if (atomic_read(&buffer->size) == 0) return -ENODEV;

- /* FIXME: Check length <= user_length. */ + length = buffer->head->length; + + if (length > user_length) + return 0;

end = buffer->data + buffer->capacity; - length = buffer->head->length;

if (&buffer->head->data[length] < end) { if (copy_to_user(data, buffer->head->data, length))