File 0010-CVE-2019-13106-ext4-fix-out-of-boun.patch of Package u-boot-geekbox

Overview Repositories Revisions Requests Users Attributes Meta

File 0010-CVE-2019-13106-ext4-fix-out-of-boun.patch of Package u-boot-geekbox (Revision dbae6f1df6bab9dafc4c8d5126ff1d0c)

Currently displaying revision dbae6f1df6bab9dafc4c8d5126ff1d0c , Show latest

From 323c3196640bbadb8d2817ca6ec9ec7833381cb2 Mon Sep 17 00:00:00 2001
From: Paul Emge <paulemge@forallsecure.com>
Date: Mon, 8 Jul 2019 16:37:07 -0700
Subject: [PATCH] CVE-2019-13106: ext4: fix out-of-bounds memset

In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
the destination memory region. This patch adds a check to disallow
this.

This fixes bsc#1144656.

Signed-off-by: Paul Emge <paulemge@forallsecure.com>
(cherry picked from commit e205896c5383c938274262524adceb2775fb03ba)
Signed-off-by: Matthias Brugger <mbrugger@suse.com>
---
 fs/ext4/ext4fs.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 2a28031d14..54f65e7e11 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 	lbaint_t delayed_skipfirst = 0;
 	lbaint_t delayed_next = 0;
 	char *delayed_buf = NULL;
+	char *start_buf = buf;
 	short status;
 
 	if (blocksize <= 0)
@@ -130,6 +131,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 			}
 		} else {
 			int n;
+			int n_left;
 			if (previous_block_number != -1) {
 				/* spill */
 				status = ext4fs_devread(delayed_start,
@@ -142,8 +144,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 			}
 			/* Zero no more than `len' bytes. */
 			n = blocksize - skipfirst;
-			if (n > len)
-				n = len;
+			n_left = len - ( buf - start_buf );
+			if (n > n_left)
+				n = n_left;
 			memset(buf, 0, n);
 		}
 		buf += blocksize - skipfirst;

Places

File 0010-CVE-2019-13106-ext4-fix-out-of-boun.patch of Package u-boot-geekbox (Revision dbae6f1df6bab9dafc4c8d5126ff1d0c)

Places