| From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001 |
| From: Paul Emge <paulemge@forallsecure.com> |
| Date: Mon, 8 Jul 2019 16:37:05 -0700 |
| Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in |
| ext4fs_read_file |
| |
| in ext4fs_read_file, it is possible for a broken/malicious file |
| system to cause a memcpy of a negative number of bytes, which |
| overflows all memory. This patch fixes the issue by checking for |
| a negative length. |
| |
| Signed-off-by: Paul Emge <paulemge@forallsecure.com> |
| |
| Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; |
| h=878269dbe74229005dd7f27aca66c554e31dad8e] |
| |
| CVE: CVE-2019-13104 |
| |
| Signed-off-by: Meng Li <Meng.Li@windriver.com> |
| --- |
| fs/ext4/ext4fs.c | 8 +++++--- |
| 1 file changed, 5 insertions(+), 3 deletions(-) |
| |
| diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c |
| index 26db677a1f..c8c8655ed8 100644 |
| --- a/fs/ext4/ext4fs.c |
| +++ b/fs/ext4/ext4fs.c |
| @@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, |
| |
| ext_cache_init(&cache); |
| |
| - if (blocksize <= 0) |
| - return -1; |
| - |
| /* Adjust len so it we can't read past the end of the file. */ |
| if (len + pos > filesize) |
| len = (filesize - pos); |
| |
| + if (blocksize <= 0 || len <= 0) { |
| + ext_cache_fini(&cache); |
| + return -1; |
| + } |
| + |
| blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize); |
| |
| for (i = lldiv(pos, blocksize); i < blockcnt; i++) { |
| -- |
| 2.17.1 |
| |