From: Paul Emge <paulemge@forallsecure.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 3/5] CVE-2019-13104: ext4: check for underflow in ext4fs_read_file
Date: Mon, 8 Jul 2019 16:37:05 -0700 [thread overview]
Message-ID: <20190708233707.8377-3-paulemge@forallsecure.com> (raw)
In-Reply-To: <20190708233707.8377-1-paulemge@forallsecure.com>
in ext4fs_read_file, it is possible for a broken/malicious file
system to cause a memcpy of a negative number of bytes, which
overflows all memory. This patch fixes the issue by checking for
a negative length.
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
---
fs/ext4/ext4fs.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 85dc122f30..e2b740cac4 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
ext_cache_init(&cache);
- if (blocksize <= 0)
- return -1;
-
/* Adjust len so it we can't read past the end of the file. */
if (len + pos > filesize)
len = (filesize - pos);
+ if (blocksize <= 0 || len <= 0) {
+ ext_cache_fini(&cache);
+ return -1;
+ }
+
blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
--
2.20.1
next prev parent reply other threads:[~2019-07-08 23:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-08 23:37 [U-Boot] [PATCH 1/5] CVE-2019-13103: disk: stop infinite recursion in DOS Partitions Paul Emge
2019-07-08 23:37 ` [U-Boot] [PATCH 2/5] CVE-2019-13105: ext4: fix double-free in ext4_cache_read Paul Emge
2019-07-18 23:58 ` Tom Rini
2019-07-08 23:37 ` Paul Emge [this message]
2019-07-18 23:59 ` [U-Boot] [PATCH 3/5] CVE-2019-13104: ext4: check for underflow in ext4fs_read_file Tom Rini
2019-07-08 23:37 ` [U-Boot] [PATCH 4/5] ext4: gracefully fail on divide-by-0 Paul Emge
2019-07-18 23:59 ` Tom Rini
2019-07-08 23:37 ` [U-Boot] [PATCH 5/5] CVE-2019-13106: ext4: fix out-of-bounds memset Paul Emge
2019-07-18 23:59 ` Tom Rini
2019-07-18 23:58 ` [U-Boot] [PATCH 1/5] CVE-2019-13103: disk: stop infinite recursion in DOS Partitions Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190708233707.8377-3-paulemge@forallsecure.com \
--to=paulemge@forallsecure.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox