diff options
Diffstat (limited to 'meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch')
-rw-r--r-- | meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch new file mode 100644 index 0000000000..de122b27d0 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Emge <paulemge@forallsecure.com> | ||
3 | Date: Mon, 8 Jul 2019 16:37:05 -0700 | ||
4 | Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in | ||
5 | ext4fs_read_file | ||
6 | |||
7 | in ext4fs_read_file, it is possible for a broken/malicious file | ||
8 | system to cause a memcpy of a negative number of bytes, which | ||
9 | overflows all memory. This patch fixes the issue by checking for | ||
10 | a negative length. | ||
11 | |||
12 | Signed-off-by: Paul Emge <paulemge@forallsecure.com> | ||
13 | |||
14 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
15 | h=878269dbe74229005dd7f27aca66c554e31dad8e] | ||
16 | |||
17 | CVE: CVE-2019-13104 | ||
18 | |||
19 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
20 | --- | ||
21 | fs/ext4/ext4fs.c | 8 +++++--- | ||
22 | 1 file changed, 5 insertions(+), 3 deletions(-) | ||
23 | |||
24 | diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c | ||
25 | index 26db677a1f..c8c8655ed8 100644 | ||
26 | --- a/fs/ext4/ext4fs.c | ||
27 | +++ b/fs/ext4/ext4fs.c | ||
28 | @@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
29 | |||
30 | ext_cache_init(&cache); | ||
31 | |||
32 | - if (blocksize <= 0) | ||
33 | - return -1; | ||
34 | - | ||
35 | /* Adjust len so it we can't read past the end of the file. */ | ||
36 | if (len + pos > filesize) | ||
37 | len = (filesize - pos); | ||
38 | |||
39 | + if (blocksize <= 0 || len <= 0) { | ||
40 | + ext_cache_fini(&cache); | ||
41 | + return -1; | ||
42 | + } | ||
43 | + | ||
44 | blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize); | ||
45 | |||
46 | for (i = lldiv(pos, blocksize); i < blockcnt; i++) { | ||
47 | -- | ||
48 | 2.17.1 | ||
49 | |||