mirror of
https://github.com/brain-hackers/u-boot-brain
synced 2024-06-09 23:36:03 +09:00
CVE-2019-13104: ext4: check for underflow in ext4fs_read_file
in ext4fs_read_file, it is possible for a broken/malicious file system to cause a memcpy of a negative number of bytes, which overflows all memory. This patch fixes the issue by checking for a negative length. Signed-off-by: Paul Emge <paulemge@forallsecure.com>
This commit is contained in:
parent
6e5a79de65
commit
878269dbe7
|
@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
|
||||||
|
|
||||||
ext_cache_init(&cache);
|
ext_cache_init(&cache);
|
||||||
|
|
||||||
if (blocksize <= 0)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
/* Adjust len so it we can't read past the end of the file. */
|
/* Adjust len so it we can't read past the end of the file. */
|
||||||
if (len + pos > filesize)
|
if (len + pos > filesize)
|
||||||
len = (filesize - pos);
|
len = (filesize - pos);
|
||||||
|
|
||||||
|
if (blocksize <= 0 || len <= 0) {
|
||||||
|
ext_cache_fini(&cache);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
|
blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
|
||||||
|
|
||||||
for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
|
for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user