diff options
Diffstat (limited to 'meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch')
| -rw-r--r-- | meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch new file mode 100644 index 0000000000..8e1a1a9943 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch | |||
| @@ -0,0 +1,56 @@ | |||
| 1 | From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Paul Emge <paulemge@forallsecure.com> | ||
| 3 | Date: Mon, 8 Jul 2019 16:37:07 -0700 | ||
| 4 | Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset | ||
| 5 | |||
| 6 | In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of | ||
| 7 | the destination memory region. This patch adds a check to disallow | ||
| 8 | this. | ||
| 9 | |||
| 10 | Signed-off-by: Paul Emge <paulemge@forallsecure.com> | ||
| 11 | |||
| 12 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
| 13 | h=e205896c5383c938274262524adceb2775fb03ba] | ||
| 14 | |||
| 15 | CVE: CVE-2019-13106 | ||
| 16 | |||
| 17 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
| 18 | --- | ||
| 19 | fs/ext4/ext4fs.c | 7 +++++-- | ||
| 20 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c | ||
| 23 | index e2b740cac4..37b31d9f0f 100644 | ||
| 24 | --- a/fs/ext4/ext4fs.c | ||
| 25 | +++ b/fs/ext4/ext4fs.c | ||
| 26 | @@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
| 27 | lbaint_t delayed_skipfirst = 0; | ||
| 28 | lbaint_t delayed_next = 0; | ||
| 29 | char *delayed_buf = NULL; | ||
| 30 | + char *start_buf = buf; | ||
| 31 | short status; | ||
| 32 | struct ext_block_cache cache; | ||
| 33 | |||
| 34 | @@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
| 35 | } | ||
| 36 | } else { | ||
| 37 | int n; | ||
| 38 | + int n_left; | ||
| 39 | if (previous_block_number != -1) { | ||
| 40 | /* spill */ | ||
| 41 | status = ext4fs_devread(delayed_start, | ||
| 42 | @@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
| 43 | } | ||
| 44 | /* Zero no more than `len' bytes. */ | ||
| 45 | n = blocksize - skipfirst; | ||
| 46 | - if (n > len) | ||
| 47 | - n = len; | ||
| 48 | + n_left = len - ( buf - start_buf ); | ||
| 49 | + if (n > n_left) | ||
| 50 | + n = n_left; | ||
| 51 | memset(buf, 0, n); | ||
| 52 | } | ||
| 53 | buf += blocksize - skipfirst; | ||
| 54 | -- | ||
| 55 | 2.17.1 | ||
| 56 | |||