CVE-2023-52497

erofs: fix lz4 inplace decompression

References

https://cve.org/CVERecord/?id=CVE-2023-52497

Notes

 carnil> Introduced in 0ffd71bcc3a0 ("staging: erofs: introduce LZ4 decompression
 carnil> inplace")
 carnil> 598162d05080 ("erofs: support decompress big pcluster for lz4 backend").
 carnil> Vulnerable versions: 5.3-rc1 5.13-rc1.

Bugs

Status

Branch	Status
4.19-buster-security	N/A "Vulnerable code not present"
4.19-upstream-stable	N/A "Vulnerable code not present"
5.10-bullseye-security	released (5.10.216-1)
5.10-upstream-stable	released (5.10.211) [a0180e940cf1aefa7d516e20b259ad34f7a8b379]
6.1-bookworm-security	released (6.1.76-1)
6.1-upstream-stable	released (6.1.76) [33bf23c9940dbd3a22aad7f0cda4c84ed5701847]
6.6-upstream-stable	released (6.6.15) [f36d200a80a3ca025532ed60dd1ac21b620e14ae]
6.8-upstream-stable	N/A "Fixed before branching point"
sid	released (6.6.15-1)
upstream	released (6.8-rc1) [3c12466b6b7bf1e56f9b32c366a3d83d87afb4de]