1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From e205896c5383c938274262524adceb2775fb03ba Mon Sep 17 00:00:00 2001
From: Paul Emge <paulemge@forallsecure.com>
Date: Mon, 8 Jul 2019 16:37:07 -0700
Subject: [PATCH] CVE-2019-13106: ext4: fix out-of-bounds memset
In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
the destination memory region. This patch adds a check to disallow
this.
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
---
fs/ext4/ext4fs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index e2b740cac405..37b31d9f0fcc 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
lbaint_t delayed_skipfirst = 0;
lbaint_t delayed_next = 0;
char *delayed_buf = NULL;
+ char *start_buf = buf;
short status;
struct ext_block_cache cache;
@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
}
} else {
int n;
+ int n_left;
if (previous_block_number != -1) {
/* spill */
status = ext4fs_devread(delayed_start,
@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
}
/* Zero no more than `len' bytes. */
n = blocksize - skipfirst;
- if (n > len)
- n = len;
+ n_left = len - ( buf - start_buf );
+ if (n > n_left)
+ n = n_left;
memset(buf, 0, n);
}
buf += blocksize - skipfirst;
--
2.17.1
|
