diff options
author | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-05-24 22:54:37 +0300 |
---|---|---|
committer | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-05-24 23:12:35 +0300 |
commit | 2a64b8ae9b952b18b4aef38cb7c41ce6dba16c50 (patch) | |
tree | 704eb802dc7b987411a0e44d128bdd8978745d8c /meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13106 | |
parent | 0e0df451ae365f09d5c0c766b253f23de26901f2 (diff) | |
download | openbmc-2a64b8ae9b952b18b4aef38cb7c41ce6dba16c50.tar.xz |
Update to internal 0.52
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Diffstat (limited to 'meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13106')
-rw-r--r-- | meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13106/0001-CVE-2019-13106-ext4-fix-out-of-bounds-memset.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13106/0001-CVE-2019-13106-ext4-fix-out-of-bounds-memset.patch b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13106/0001-CVE-2019-13106-ext4-fix-out-of-bounds-memset.patch new file mode 100644 index 000000000..9bd0b27a8 --- /dev/null +++ b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13106/0001-CVE-2019-13106-ext4-fix-out-of-bounds-memset.patch @@ -0,0 +1,49 @@ +From e205896c5383c938274262524adceb2775fb03ba Mon Sep 17 00:00:00 2001 +From: Paul Emge <paulemge@forallsecure.com> +Date: Mon, 8 Jul 2019 16:37:07 -0700 +Subject: [PATCH] CVE-2019-13106: ext4: fix out-of-bounds memset + +In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of +the destination memory region. This patch adds a check to disallow +this. + +Signed-off-by: Paul Emge <paulemge@forallsecure.com> +--- + fs/ext4/ext4fs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c +index e2b740cac405..37b31d9f0fcc 100644 +--- a/fs/ext4/ext4fs.c ++++ b/fs/ext4/ext4fs.c +@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, + lbaint_t delayed_skipfirst = 0; + lbaint_t delayed_next = 0; + char *delayed_buf = NULL; ++ char *start_buf = buf; + short status; + struct ext_block_cache cache; + +@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, + } + } else { + int n; ++ int n_left; + if (previous_block_number != -1) { + /* spill */ + status = ext4fs_devread(delayed_start, +@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, + } + /* Zero no more than `len' bytes. */ + n = blocksize - skipfirst; +- if (n > len) +- n = len; ++ n_left = len - ( buf - start_buf ); ++ if (n > n_left) ++ n = n_left; + memset(buf, 0, n); + } + buf += blocksize - skipfirst; +-- +2.17.1 + |