| Brad Bishop | 00e122a | 2019-10-05 11:10:57 -0400 | [diff] [blame] | 1 | From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001 |
| 2 | From: Paul Emge <paulemge@forallsecure.com> |
| 3 | Date: Mon, 8 Jul 2019 16:37:05 -0700 |
| 4 | Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in |
| 5 | ext4fs_read_file |
| 6 | |
| 7 | in ext4fs_read_file, it is possible for a broken/malicious file |
| 8 | system to cause a memcpy of a negative number of bytes, which |
| 9 | overflows all memory. This patch fixes the issue by checking for |
| 10 | a negative length. |
| 11 | |
| 12 | Signed-off-by: Paul Emge <paulemge@forallsecure.com> |
| 13 | |
| 14 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; |
| 15 | h=878269dbe74229005dd7f27aca66c554e31dad8e] |
| 16 | |
| 17 | CVE: CVE-2019-13104 |
| 18 | |
| 19 | Signed-off-by: Meng Li <Meng.Li@windriver.com> |
| 20 | --- |
| 21 | fs/ext4/ext4fs.c | 8 +++++--- |
| 22 | 1 file changed, 5 insertions(+), 3 deletions(-) |
| 23 | |
| 24 | diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c |
| 25 | index 26db677a1f..c8c8655ed8 100644 |
| 26 | --- a/fs/ext4/ext4fs.c |
| 27 | +++ b/fs/ext4/ext4fs.c |
| 28 | @@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, |
| 29 | |
| 30 | ext_cache_init(&cache); |
| 31 | |
| 32 | - if (blocksize <= 0) |
| 33 | - return -1; |
| 34 | - |
| 35 | /* Adjust len so it we can't read past the end of the file. */ |
| 36 | if (len + pos > filesize) |
| 37 | len = (filesize - pos); |
| 38 | |
| 39 | + if (blocksize <= 0 || len <= 0) { |
| 40 | + ext_cache_fini(&cache); |
| 41 | + return -1; |
| 42 | + } |
| 43 | + |
| 44 | blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize); |
| 45 | |
| 46 | for (i = lldiv(pos, blocksize); i < blockcnt; i++) { |
| 47 | -- |
| 48 | 2.17.1 |
| 49 | |