From 2a64b8ae9b952b18b4aef38cb7c41ce6dba16c50 Mon Sep 17 00:00:00 2001 From: "Jason M. Bills" Date: Mon, 24 May 2021 12:54:37 -0700 Subject: Update to internal 0.52 Signed-off-by: Jason M. Bills --- ...104-ext4-check-for-underflow-in-ext4fs_re.patch | 41 ++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13104/0001-CVE-2019-13104-ext4-check-for-underflow-in-ext4fs_re.patch (limited to 'meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13104/0001-CVE-2019-13104-ext4-check-for-underflow-in-ext4fs_re.patch') diff --git a/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13104/0001-CVE-2019-13104-ext4-check-for-underflow-in-ext4fs_re.patch b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13104/0001-CVE-2019-13104-ext4-check-for-underflow-in-ext4fs_re.patch new file mode 100644 index 000000000..fbb9098fe --- /dev/null +++ b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2019-13104/0001-CVE-2019-13104-ext4-check-for-underflow-in-ext4fs_re.patch @@ -0,0 +1,41 @@ +From 878269dbe74229005dd7f27aca66c554e31dad8e Mon Sep 17 00:00:00 2001 +From: Paul Emge +Date: Mon, 8 Jul 2019 16:37:05 -0700 +Subject: [PATCH] CVE-2019-13104: ext4: check for underflow in ext4fs_read_file + +in ext4fs_read_file, it is possible for a broken/malicious file +system to cause a memcpy of a negative number of bytes, which +overflows all memory. This patch fixes the issue by checking for +a negative length. + +Signed-off-by: Paul Emge +--- + fs/ext4/ext4fs.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c +index 85dc122f3003..e2b740cac405 100644 +--- a/fs/ext4/ext4fs.c ++++ b/fs/ext4/ext4fs.c +@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, + + ext_cache_init(&cache); + +- if (blocksize <= 0) +- return -1; +- + /* Adjust len so it we can't read past the end of the file. */ + if (len + pos > filesize) + len = (filesize - pos); + ++ if (blocksize <= 0 || len <= 0) { ++ ext_cache_fini(&cache); ++ return -1; ++ } ++ + blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize); + + for (i = lldiv(pos, blocksize); i < blockcnt; i++) { +-- +2.17.1 + -- cgit v1.2.3