From 6f8e96927c48c7ef91190cfe317d4977e97eea0e Mon Sep 17 00:00:00 2001
From: Paul Emge <paulemge@forallsecure.com>
Date: Tue, 14 Jan 2020 20:43:52 +0530
Subject: [PATCH] CVE-2019-13106: ext4: fix out-of-bounds memset

In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
the destination memory region. This patch adds a check to disallow
this.

Change-Id: I5138ca873009117194407d82af004a637317c1d0
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
Signed-off-by: Karthick Shanmugham <kartshan@codeaurora.org>
---
 fs/ext4/ext4fs.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 38ba8f3e56..c0d063252d 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -63,6 +63,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 	lbaint_t delayed_next = 0;
 	char *delayed_buf = NULL;
 	short status;
+	char *start_buf = buf;
 
 	/* Adjust len so it we can't read past the end of the file. */
 	if (len > filesize)
@@ -130,6 +131,8 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 					(blockend >> log2blksz);
 			}
 		} else {
+			int n;
+			int n_left;
 			if (previous_block_number != -1) {
 				/* spill */
 				status = ext4fs_devread(delayed_start,
@@ -140,7 +143,11 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 					return -1;
 				previous_block_number = -1;
 			}
-			memset(buf, 0, blocksize - skipfirst);
+			n = blocksize - skipfirst;
+			n_left = len - ( buf - start_buf );
+			if (n > n_left)
+				n = n_left;
+			memset(buf, 0, n);
 		}
 		buf += blocksize - skipfirst;
 	}