diff options
author | jmbills <42755197+jmbills@users.noreply.github.com> | 2019-10-25 19:18:16 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-25 19:18:16 +0300 |
commit | 0dbb60593ebb5a62190c0e6cff7f1770493303a2 (patch) | |
tree | 0df2ce67404dbca3ddc4ee063dbfd9ae455be682 /poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch | |
parent | 34a3942845ac3264ce27c648ae5486d302c3e6d8 (diff) | |
parent | cc9cea46d74d280de03c713c8b555153fd811f09 (diff) | |
download | openbmc-0dbb60593ebb5a62190c0e6cff7f1770493303a2.tar.xz |
Merge branch 'intel' into intel2
Diffstat (limited to 'poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch')
-rw-r--r-- | poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch new file mode 100644 index 000000000..8e1a1a994 --- /dev/null +++ b/poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch @@ -0,0 +1,56 @@ +From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001 +From: Paul Emge <paulemge@forallsecure.com> +Date: Mon, 8 Jul 2019 16:37:07 -0700 +Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset + +In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of +the destination memory region. This patch adds a check to disallow +this. + +Signed-off-by: Paul Emge <paulemge@forallsecure.com> + +Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; + h=e205896c5383c938274262524adceb2775fb03ba] + +CVE: CVE-2019-13106 + +Signed-off-by: Meng Li <Meng.Li@windriver.com> +--- + fs/ext4/ext4fs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c +index e2b740cac4..37b31d9f0f 100644 +--- a/fs/ext4/ext4fs.c ++++ b/fs/ext4/ext4fs.c +@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, + lbaint_t delayed_skipfirst = 0; + lbaint_t delayed_next = 0; + char *delayed_buf = NULL; ++ char *start_buf = buf; + short status; + struct ext_block_cache cache; + +@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, + } + } else { + int n; ++ int n_left; + if (previous_block_number != -1) { + /* spill */ + status = ext4fs_devread(delayed_start, +@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, + } + /* Zero no more than `len' bytes. */ + n = blocksize - skipfirst; +- if (n > len) +- n = len; ++ n_left = len - ( buf - start_buf ); ++ if (n > n_left) ++ n = n_left; + memset(buf, 0, n); + } + buf += blocksize - skipfirst; +-- +2.17.1 + |