Gitiles
Code Review Sign In
gerrit.openbmc.org / stefanberger / openbmc / 868407c65d79e82e83c37f7c32bef9a2e2bc4cd5 / . / poky / meta / recipes-bsp / u-boot / files / 0004-CVE-2019-13106.patch
blob: 8e1a1a99435a5b01f20597f851695866c26361a4 [file] [log] [blame]
Brad Bishop00e122a2019-10-05 11:10:57 -0400[diff] [blame]1From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
2From: Paul Emge <paulemge@forallsecure.com>
3Date: Mon, 8 Jul 2019 16:37:07 -0700
4Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
5
6In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
7the destination memory region. This patch adds a check to disallow
8this.
9
10Signed-off-by: Paul Emge <paulemge@forallsecure.com>
11
12Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
13 h=e205896c5383c938274262524adceb2775fb03ba]
14
15CVE: CVE-2019-13106
16
17Signed-off-by: Meng Li <Meng.Li@windriver.com>
18---
19 fs/ext4/ext4fs.c | 7 +++++--
20 1 file changed, 5 insertions(+), 2 deletions(-)
21
22diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
23index e2b740cac4..37b31d9f0f 100644
24--- a/fs/ext4/ext4fs.c
25+++ b/fs/ext4/ext4fs.c
26@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
27 lbaint_t delayed_skipfirst = 0;
28 lbaint_t delayed_next = 0;
29 char *delayed_buf = NULL;
30+ char *start_buf = buf;
31 short status;
32 struct ext_block_cache cache;
33
34@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
35 }
36 } else {
37 int n;
38+ int n_left;
39 if (previous_block_number != -1) {
40 /* spill */
41 status = ext4fs_devread(delayed_start,
42@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
43 }
44 /* Zero no more than `len' bytes. */
45 n = blocksize - skipfirst;
46- if (n > len)
47- n = len;
48+ n_left = len - ( buf - start_buf );
49+ if (n > n_left)
50+ n = n_left;
51 memset(buf, 0, n);
52 }
53 buf += blocksize - skipfirst;
54--
552.17.1
56