File 0010-CVE-2019-13106-ext4-fix-out-of-boun.patch of Package u-boot-lamobor1
xxxxxxxxxx
1
From 323c3196640bbadb8d2817ca6ec9ec7833381cb2 Mon Sep 17 00:00:00 2001
2
From: Paul Emge <paulemge@forallsecure.com>
3
Date: Mon, 8 Jul 2019 16:37:07 -0700
4
Subject: [PATCH] CVE-2019-13106: ext4: fix out-of-bounds memset
5
6
In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
7
the destination memory region. This patch adds a check to disallow
8
this.
9
10
This fixes bsc#1144656.
11
12
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
13
(cherry picked from commit e205896c5383c938274262524adceb2775fb03ba)
14
Signed-off-by: Matthias Brugger <mbrugger@suse.com>
15
---
16
fs/ext4/ext4fs.c | 7 +++++--
17
1 file changed, 5 insertions(+), 2 deletions(-)
18
19
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
20
index 2a28031d14..54f65e7e11 100644
21
--- a/fs/ext4/ext4fs.c
22
+++ b/fs/ext4/ext4fs.c
23
24
lbaint_t delayed_skipfirst = 0;
25
lbaint_t delayed_next = 0;
26
char *delayed_buf = NULL;
27
+ char *start_buf = buf;
28
short status;
29
30
if (blocksize <= 0)
31
32
}
33
} else {
34
int n;
35
+ int n_left;
36
if (previous_block_number != -1) {
37
/* spill */
38
status = ext4fs_devread(delayed_start,
39
40
}
41
/* Zero no more than `len' bytes. */
42
n = blocksize - skipfirst;
43
- if (n > len)
44
- n = len;
45
+ n_left = len - ( buf - start_buf );
46
+ if (n > n_left)
47
+ n = n_left;
48
memset(buf, 0, n);
49
}
50
buf += blocksize - skipfirst;
51