mirror/u-boot-2016
1
0
Fork 0
mirror of https://git.codelinaro.org/clo/qsdk/oss/boot/u-boot-2016.git synced 2025-12-10 07:44:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

CVE-2019-13106: ext4: fix out-of-bounds memset

Browse source 
In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
the destination memory region. This patch adds a check to disallow
this.

Change-Id: I5138ca873009117194407d82af004a637317c1d0
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
Signed-off-by: Karthick Shanmugham <kartshan@codeaurora.org>
This commit is contained in:
Paul Emge 2020-01-14 20:43:52 +05:30 committed by Karthick Shanmugham
parent e621657025
commit 6f8e96927c
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
fs/ext4/ext4fs.c
View file

@ -63,6 +63,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
lbaint_t delayed_next = 0;
char *delayed_buf = NULL;
short status;
char *start_buf = buf;
/* Adjust len so it we can't read past the end of the file. */
if (len > filesize)
@ -130,6 +131,8 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
(blockend >> log2blksz);
}
} else {
int n;
int n_left;
if (previous_block_number != -1) {
/* spill */
status = ext4fs_devread(delayed_start,
@ -140,7 +143,11 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
return -1;
previous_block_number = -1;
}
memset(buf, 0, blocksize - skipfirst);
n = blocksize - skipfirst;
n_left = len - ( buf - start_buf );
if (n > n_left)
n = n_left;
memset(buf, 0, n);
}
buf += blocksize - skipfirst;
}