mirror/u-boot-2016
1
0
Fork 0
mirror of https://git.codelinaro.org/clo/qsdk/oss/boot/u-boot-2016.git synced 2026-02-15 12:29:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge "CVE-2019-13106: ext4: fix out-of-bounds memset"

Browse source
This commit is contained in:
Linux Build Service Account 2020-02-12 21:07:47 -08:00 committed by Gerrit - the friendly Code Review server
commit 78b2005d27
2 changed files with 26 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
disk/part_dos.c
View file

@ -24,6 +24,10 @@
#define DOS_PART_DEFAULT_SECTOR 512
/* should this be configurable? It looks like it's not very common at all
* to use large numbers of partitions */
#define MAX_EXT_PARTS 256
/* Convert char[4] in little endian format to the host format integer
*/
static inline int le32_to_int(unsigned char *le32)
@ -109,6 +113,11 @@ static void print_partition_extended(block_dev_desc_t *dev_desc,
dos_partition_t *pt;
int i;
/* set a maximum recursion level */
if (part_num > MAX_EXT_PARTS) {
printf("** Nested DOS partitions detected, stopping **\n");
return;
}
if (dev_desc->block_read(dev_desc->dev, ext_part_sector, 1, (ulong *) buffer) != 1) {
printf ("** Can't read partition table on %d:%d **\n",
dev_desc->dev, ext_part_sector);
@ -173,6 +182,12 @@ static int get_partition_info_extended (block_dev_desc_t *dev_desc, int ext_part
int i;
int dos_type;
/* set a maximum recursion level */
if (part_num > MAX_EXT_PARTS) {
printf("** Nested DOS partitions detected, stopping **\n");
return -1;
}
if (dev_desc->block_read (dev_desc->dev, ext_part_sector, 1, (ulong *) buffer) != 1) {
printf ("** Can't read partition table on %d:%d **\n",
dev_desc->dev, ext_part_sector);

12
fs/ext4/ext4fs.c
View file

@ -63,11 +63,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
lbaint_t delayed_next = 0;
char *delayed_buf = NULL;
short status;
char *start_buf = buf;
/* Adjust len so it we can't read past the end of the file. */
if (len > filesize)
len = filesize;
if (blocksize <= 0 || len <= 0)
return -1;
blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
@ -127,6 +131,8 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
(blockend >> log2blksz);
}
} else {
int n;
int n_left;
if (previous_block_number != -1) {
/* spill */
status = ext4fs_devread(delayed_start,
@ -137,7 +143,11 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
return -1;
previous_block_number = -1;
}
memset(buf, 0, blocksize - skipfirst);
n = blocksize - skipfirst;
n_left = len - ( buf - start_buf );
if (n > n_left)
n = n_left;
memset(buf, 0, n);
}
buf += blocksize - skipfirst;
}