summaryrefslogtreecommitdiffstats
path: root/fs/ext4
diff options
context:
space:
mode:
authorPaul Emge <paulemge@forallsecure.com>2019-07-08 16:37:05 -0700
committerTom Rini <trini@konsulko.com>2019-07-18 11:31:29 -0400
commit878269dbe74229005dd7f27aca66c554e31dad8e (patch)
tree1cfc04f11647a0a0a5012195205acc33066b8830 /fs/ext4
parent6e5a79de658cb1c8012c86e0837379aa6eabd024 (diff)
downloadu-boot-878269dbe74229005dd7f27aca66c554e31dad8e.tar.gz
u-boot-878269dbe74229005dd7f27aca66c554e31dad8e.tar.xz
u-boot-878269dbe74229005dd7f27aca66c554e31dad8e.zip
CVE-2019-13104: ext4: check for underflow in ext4fs_read_file
in ext4fs_read_file, it is possible for a broken/malicious file system to cause a memcpy of a negative number of bytes, which overflows all memory. This patch fixes the issue by checking for a negative length. Signed-off-by: Paul Emge <paulemge@forallsecure.com>
Diffstat (limited to 'fs/ext4')
-rw-r--r--fs/ext4/ext4fs.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 85dc122f30..e2b740cac4 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
ext_cache_init(&cache);
- if (blocksize <= 0)
- return -1;
-
/* Adjust len so it we can't read past the end of the file. */
if (len + pos > filesize)
len = (filesize - pos);
+ if (blocksize <= 0 || len <= 0) {
+ ext_cache_fini(&cache);
+ return -1;
+ }
+
blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
for (i = lldiv(pos, blocksize); i < blockcnt; i++) {