From 01f779132c0c7aca9440fda4c5ffd3bcf81e5420 Mon Sep 17 00:00:00 2001
From: wang-guangge <wangguangge@huawei.com>
Date: Fri, 12 Jul 2024 15:03:13 +0800
Subject: [PATCH] fix the CVE-2024-0565 for kernel-5.10.0-136.12.0.86.oe2203sp1

---
 .../5.10.0-136.12.0.86/hotmetadata_SGL.xml    | 17 ++++
 ...-kernel-5.10.0-136.12.0.86.oe2203sp1.patch | 81 +++++++++++++++++++
 2 files changed, 98 insertions(+)
 create mode 100644 openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/hotmetadata_SGL.xml
 create mode 100644 openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/patch/fix-the-CVE-2024-0565-for-kernel-5.10.0-136.12.0.86.oe2203sp1.patch

diff --git a/openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/hotmetadata_SGL.xml b/openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/hotmetadata_SGL.xml
new file mode 100644
index 0000000..7729e4c
--- /dev/null
+++ b/openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/hotmetadata_SGL.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" ?>
+<ns0:hotpatchdoc xmlns:ns0="https://gitee.com/openeuler/hotpatch_meta">
+	<DocumentTitle xml:lang="en" type="SGL">Managing Hot Patch Metadata</DocumentTitle>
+	<HotPatchList>
+		<Package name="kernel-5.10.0-136.12.0.86">
+			<hotpatch name="SGL-CVE-2024-0565" version="1" release="1" type="cve" inherit="0" status="unconfirmed">
+				<SRC_RPM>https://repo.openeuler.org/openEuler-22.03-LTS-SP1/source/Packages/kernel-5.10.0-136.12.0.86.oe2203sp1.src.rpm</SRC_RPM>
+				<Debug_RPM_X86_64>https://repo.openeuler.org/openEuler-22.03-LTS-SP1/debuginfo/x86_64/Packages/kernel-debuginfo-5.10.0-136.12.0.86.oe2203sp1.x86_64.rpm</Debug_RPM_X86_64>
+				<Debug_RPM_Aarch64>https://repo.openeuler.org/openEuler-22.03-LTS-SP1/debuginfo/aarch64/Packages/kernel-debuginfo-5.10.0-136.12.0.86.oe2203sp1.aarch64.rpm</Debug_RPM_Aarch64>
+				<patch>fix-the-CVE-2024-0565-for-kernel-5.10.0-136.12.0.86.oe2203sp1.patch</patch>
+				<issue id="CVE-2024-0565" issue_href="https://gitee.com/src-openeuler/kernel/issues/I8WEOK"/>
+				<hotpatch_issue_link>https://gitee.com/openeuler/hotpatch_meta/issues/IACJVB</hotpatch_issue_link>
+			</hotpatch>
+		</Package>
+	</HotPatchList>
+</ns0:hotpatchdoc>
+
diff --git a/openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/patch/fix-the-CVE-2024-0565-for-kernel-5.10.0-136.12.0.86.oe2203sp1.patch b/openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/patch/fix-the-CVE-2024-0565-for-kernel-5.10.0-136.12.0.86.oe2203sp1.patch
new file mode 100644
index 0000000..14b1d25
--- /dev/null
+++ b/openEuler-22.03-LTS-SP1/kernel/5.10.0-136.12.0.86/patch/fix-the-CVE-2024-0565-for-kernel-5.10.0-136.12.0.86.oe2203sp1.patch
@@ -0,0 +1,81 @@
+From 48c06d1aadb1a57ff0d31b9dda81bdd491207ca3 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Thu, 18 Jan 2024 10:50:13 +0800
+Subject: [PATCH] smb: client: fix OOB in receive_encrypted_standard()
+
+mainline inclusion
+from mainline-v6.7-rc6
+commit eec04ea119691e65227a97ce53c0da6b9b74b0b7
+category: bugfix
+bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8WEOK
+CVE: CVE-2024-0565
+
+Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eec04ea119691e65227a97ce53c0da6b9b74b0b7
+
+--------------------------------
+
+Fix potential OOB in receive_encrypted_standard() if server returned a
+large shdr->NextCommand that would end up writing off the end of
+@next_buffer.
+
+Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses")
+Cc: stable@vger.kernel.org
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+
+Conflicts:
+	fs/cifs/smb2ops.c
+
+Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
+(cherry picked from commit ac9ef820bdaa653e44497342c6a142e97482a0a1)
+---
+ fs/cifs/smb2ops.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 28cb8219b9fb9..b16b21bd04a2b 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -4888,6 +4888,7 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
+ 	struct smb2_sync_hdr *shdr;
+ 	unsigned int pdu_length = server->pdu_size;
+ 	unsigned int buf_size;
++	unsigned int next_cmd;
+ 	struct mid_q_entry *mid_entry;
+ 	int next_is_large;
+ 	char *next_buffer = NULL;
+@@ -4916,14 +4917,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
+ 	next_is_large = server->large_buf;
+ one_more:
+ 	shdr = (struct smb2_sync_hdr *)buf;
+-	if (shdr->NextCommand) {
++	next_cmd = le32_to_cpu(shdr->NextCommand);
++	if (next_cmd) {
++		if (WARN_ON_ONCE(next_cmd > pdu_length))
++			return -1;
+ 		if (next_is_large)
+ 			next_buffer = (char *)cifs_buf_get();
+ 		else
+ 			next_buffer = (char *)cifs_small_buf_get();
+-		memcpy(next_buffer,
+-		       buf + le32_to_cpu(shdr->NextCommand),
+-		       pdu_length - le32_to_cpu(shdr->NextCommand));
++		memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
+ 	}
+ 
+ 	mid_entry = smb2_find_mid(server, buf);
+@@ -4947,8 +4949,8 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
+ 	else
+ 		ret = cifs_handle_standard(server, mid_entry);
+ 
+-	if (ret == 0 && shdr->NextCommand) {
+-		pdu_length -= le32_to_cpu(shdr->NextCommand);
++	if (ret == 0 && next_cmd) {
++		pdu_length -= next_cmd;
+ 		server->large_buf = next_is_large;
+ 		if (next_is_large)
+ 			server->bigbuf = buf = next_buffer;
+-- 
+Gitee
+
-- 
Gitee