From 043f757bb9cab39b6bee2e49550a99c66c122a60 Mon Sep 17 00:00:00 2001
From: Paul Emge <paulemge@forallsecure.com>
Date: Tue, 14 Jan 2020 19:53:11 +0530
Subject: [PATCH 1/3] CVE-2019-13103: disk: stop infinite recursion in DOS
 Partitions

part_get_info_extended and print_partition_extended can recurse infinitely
while parsing a self-referential filesystem or one with a silly number of
extended partitions. This patch adds a limit to the number of recursive
partitions.

Change-Id: Ibf1449684580a313869ce9961077c46a12a42d8c
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
Signed-off-by: Karthick Shanmugham <kartshan@codeaurora.org>
---
 disk/part_dos.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/disk/part_dos.c b/disk/part_dos.c
index 89263d38aa..d6da3c0ec5 100644
--- a/disk/part_dos.c
+++ b/disk/part_dos.c
@@ -24,6 +24,10 @@
 
 #define DOS_PART_DEFAULT_SECTOR 512
 
+/* should this be configurable? It looks like it's not very common at all
+ * to use large numbers of partitions */
+#define MAX_EXT_PARTS 256
+
 /* Convert char[4] in little endian format to the host format integer
  */
 static inline int le32_to_int(unsigned char *le32)
@@ -109,6 +113,11 @@ static void print_partition_extended(block_dev_desc_t *dev_desc,
 	dos_partition_t *pt;
 	int i;
 
+	/* set a maximum recursion level */
+	if (part_num > MAX_EXT_PARTS) {
+		printf("** Nested DOS partitions detected, stopping **\n");
+		return;
+	}
 	if (dev_desc->block_read(dev_desc->dev, ext_part_sector, 1, (ulong *) buffer) != 1) {
 		printf ("** Can't read partition table on %d:%d **\n",
 			dev_desc->dev, ext_part_sector);
@@ -173,6 +182,12 @@ static int get_partition_info_extended (block_dev_desc_t *dev_desc, int ext_part
 	int i;
 	int dos_type;
 
+	/* set a maximum recursion level */
+	if (part_num > MAX_EXT_PARTS) {
+		printf("** Nested DOS partitions detected, stopping **\n");
+		return -1;
+	}
+
 	if (dev_desc->block_read (dev_desc->dev, ext_part_sector, 1, (ulong *) buffer) != 1) {
 		printf ("** Can't read partition table on %d:%d **\n",
 			dev_desc->dev, ext_part_sector);

From e621657025f4d05b88b6f8bebae567a268e0b90a Mon Sep 17 00:00:00 2001
From: Paul Emge <paulemge@forallsecure.com>
Date: Tue, 14 Jan 2020 20:15:32 +0530
Subject: [PATCH 2/3] CVE-2019-13104: ext4: check for underflow in
 ext4fs_read_file

In ext4fs_read_file, it is possible for a broken/malicious file
system to cause a memcpy of a negative number of bytes, which
overflows all memory. This patch fixes the issue by checking for
a negative length.

Change-Id: Ia9abdb744dfff20aa1a538d38f335284e30a307b
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
Signed-off-by: Karthick Shanmugham <kartshan@codeaurora.org>
---
 fs/ext4/ext4fs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 258b93791b..38ba8f3e56 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -68,6 +68,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 	if (len > filesize)
 		len = filesize;
 
+	if (blocksize <= 0 || len <= 0)
+		return -1;
+
 	blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
 
 	for (i = lldiv(pos, blocksize); i < blockcnt; i++) {

From 6f8e96927c48c7ef91190cfe317d4977e97eea0e Mon Sep 17 00:00:00 2001
From: Paul Emge <paulemge@forallsecure.com>
Date: Tue, 14 Jan 2020 20:43:52 +0530
Subject: [PATCH 3/3] CVE-2019-13106: ext4: fix out-of-bounds memset

In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
the destination memory region. This patch adds a check to disallow
this.

Change-Id: I5138ca873009117194407d82af004a637317c1d0
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
Signed-off-by: Karthick Shanmugham <kartshan@codeaurora.org>
---
 fs/ext4/ext4fs.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 38ba8f3e56..c0d063252d 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -63,6 +63,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 	lbaint_t delayed_next = 0;
 	char *delayed_buf = NULL;
 	short status;
+	char *start_buf = buf;
 
 	/* Adjust len so it we can't read past the end of the file. */
 	if (len > filesize)
@@ -130,6 +131,8 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 					(blockend >> log2blksz);
 			}
 		} else {
+			int n;
+			int n_left;
 			if (previous_block_number != -1) {
 				/* spill */
 				status = ext4fs_devread(delayed_start,
@@ -140,7 +143,11 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 					return -1;
 				previous_block_number = -1;
 			}
-			memset(buf, 0, blocksize - skipfirst);
+			n = blocksize - skipfirst;
+			n_left = len - ( buf - start_buf );
+			if (n > n_left)
+				n = n_left;
+			memset(buf, 0, n);
 		}
 		buf += blocksize - skipfirst;
 	}