)]}'
{
  "commit": "78b75926d499bea4a9cc1328e16fe044ee727a8a",
  "tree": "53a17d3e03f4fa85f7b077f8f1a932465bf38f7c",
  "parents": [
    "abc9690e0a6905da374e16aca609f668c0ff8633"
  ],
  "author": {
    "name": "Pali Rohár",
    "email": "pali@kernel.org",
    "time": "Fri Nov 22 14:44:10 2024 +0100"
  },
  "committer": {
    "name": "Arnav Kansal",
    "email": "rnv@google.com",
    "time": "Mon Dec 23 11:06:57 2024 -0800"
  },
  "message": "cifs: Fix buffer overflow when parsing NFS reparse points\n\ncommit e2a8910af01653c1c268984855629d71fb81f404 upstream.\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType\u0027s size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf-\u003eDataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev().\n\nBUG\u003db/375751698\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2024-49996 in the Linux kernel.\n\ncos-patch: security-high\nFixes: d5ecebc4900d (\"smb3: Allow query of symlinks stored as reparse points\")\nReviewed-by: Paulo Alcantara (Red Hat) \u003cpc@manguebit.com\u003e\nChange-Id: I236856bbc5fd326bf7b35b0c5213fbf138ae63f9\nSigned-off-by: Pali Rohár \u003cpali@kernel.org\u003e\nSigned-off-by: Steve French \u003cstfrench@microsoft.com\u003e\n[use variable name symlink_buf, the other buf-\u003eInodeType accesses are\nnot used in current version so skip]\nSigned-off-by: Mahmoud Adam \u003cmngyadam@amazon.com\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/89187\nReviewed-by: Michael Kochera \u003ckochera@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Arnav Kansal \u003crnv@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "5e9478f31d47a489856b34a46ab6396902fe5340",
      "old_mode": 33188,
      "old_path": "fs/smb/client/smb2ops.c",
      "new_id": "e942cdb5214c4b9428e7d71d1350980bef8356af",
      "new_mode": 33188,
      "new_path": "fs/smb/client/smb2ops.c"
    }
  ]
}