debian/patches/CVE-2023-45897-out-of-bounds-memory-access

   1 Description: CVE-2023-45897 out-of-bounds memory access
   2 Origin: https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf
   3  https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4
   4  https://github.com/exfatprogs/exfatprogs/commit/4abc55e976573991e6a1117bb2b3711e59da07ae
   5 Last-Update: 2023-10-31
   6 Index: exfatprogs/exfat2img/exfat2img.c
   7 ===================================================================
   8 --- exfatprogs.orig/exfat2img/exfat2img.c
   9 +++ exfatprogs/exfat2img/exfat2img.c
  10 @@ -319,7 +319,7 @@ static int read_file_dentry_set(struct e
  11         if (!node)
  12                 return -ENOMEM;
  13
  14 -       for (i = 2; i <= file_de->file_num_ext; i++) {
  15 +       for (i = 2; i <= MIN(file_de->file_num_ext, 1 + MAX_NAME_DENTRIES); i++) {
  16                 ret = exfat_de_iter_get(iter, i, &dentry);
  17                 if (ret || dentry->type != EXFAT_NAME)
  18                         break;
  19 Index: exfatprogs/fsck/fsck.c
  20 ===================================================================
  21 --- exfatprogs.orig/fsck/fsck.c
  22 +++ exfatprogs/fsck/fsck.c
  23 @@ -769,7 +769,7 @@ ask_again:
  24                 char *rename = NULL;
  25                 __u16 hash;
  26                 struct exfat_dentry *stream_de;
  27 -               int name_len, ret;
  28 +               int ret;
  29
  30                 switch (num) {
  31                 case 1:
  32 @@ -798,11 +798,11 @@ ask_again:
  33                 if (ret < 0)
  34                         return ret;
  35
  36 +               ret >>=1;
  37                 memcpy(dentry->name_unicode, utf16_name, ENTRY_NAME_MAX * 2);
  38 -               name_len = exfat_utf16_len(utf16_name, ENTRY_NAME_MAX * 2);
  39 -               hash = exfat_calc_name_hash(iter->exfat, utf16_name, (int)name_len);
  40 +               hash = exfat_calc_name_hash(iter->exfat, utf16_name, ret);
  41                 exfat_de_iter_get_dirty(iter, 1, &stream_de);
  42 -               stream_de->stream_name_len = (__u8)name_len;
  43 +               stream_de->stream_name_len = (__u8)ret;
  44                 stream_de->stream_name_hash = cpu_to_le16(hash);
  45         }
  46
  47 @@ -856,7 +856,7 @@ static int read_file_dentry_set(struct e
  48         if (!node)
  49                 return -ENOMEM;
  50
  51 -       for (i = 2; i <= file_de->file_num_ext; i++) {
  52 +       for (i = 2; i <= MIN(file_de->file_num_ext, 1 + MAX_NAME_DENTRIES); i++) {
  53                 ret = exfat_de_iter_get(iter, i, &dentry);
  54                 if (ret || dentry->type != EXFAT_NAME) {
  55                         if (i > 2 && repair_file_ask(iter, NULL, ER_DE_NAME,
  56 Index: exfatprogs/include/exfat_ondisk.h
  57 ===================================================================
  58 --- exfatprogs.orig/include/exfat_ondisk.h
  59 +++ exfatprogs/include/exfat_ondisk.h
  60 @@ -40,6 +40,7 @@
  61  /* exFAT allows 8388608(256MB) directory entries */
  62  #define MAX_EXFAT_DENTRIES     8388608
  63  #define MIN_FILE_DENTRIES      3
  64 +#define MAX_NAME_DENTRIES      17
  65
  66  /* dentry types */
  67  #define MSDOS_DELETED          0xE5    /* deleted mark */