]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
CVE-2019-13106: ext4: fix out-of-bounds memset
authorPaul Emge <paulemge@forallsecure.com>
Mon, 8 Jul 2019 23:37:07 +0000 (16:37 -0700)
committerTom Rini <trini@konsulko.com>
Thu, 18 Jul 2019 15:31:29 +0000 (11:31 -0400)
In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
the destination memory region. This patch adds a check to disallow
this.

Signed-off-by: Paul Emge <paulemge@forallsecure.com>
fs/ext4/ext4fs.c

index e2b740cac4057f8115ca7749c7b99f08c91b2cf7..37b31d9f0fcc4d5674ce64277a1e28c0f3035712 100644 (file)
@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
        lbaint_t delayed_skipfirst = 0;
        lbaint_t delayed_next = 0;
        char *delayed_buf = NULL;
+       char *start_buf = buf;
        short status;
        struct ext_block_cache cache;
 
@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
                        }
                } else {
                        int n;
+                       int n_left;
                        if (previous_block_number != -1) {
                                /* spill */
                                status = ext4fs_devread(delayed_start,
@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
                        }
                        /* Zero no more than `len' bytes. */
                        n = blocksize - skipfirst;
-                       if (n > len)
-                               n = len;
+                       n_left = len - ( buf - start_buf );
+                       if (n > n_left)
+                               n = n_left;
                        memset(buf, 0, n);
                }
                buf += blocksize - skipfirst;