CVE-2019-13106: ext4: fix out-of-bounds memset

author Paul Emge <paulemge@forallsecure.com>

Mon, 8 Jul 2019 23:37:07 +0000 (16:37 -0700)

committer Tom Rini <trini@konsulko.com>

Thu, 18 Jul 2019 15:31:29 +0000 (11:31 -0400)
author Paul Emge <paulemge@forallsecure.com>
Mon, 8 Jul 2019 23:37:07 +0000 (16:37 -0700)
committer Tom Rini <trini@konsulko.com>
Thu, 18 Jul 2019 15:31:29 +0000 (11:31 -0400)
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c

index e2b740cac4057f8115ca7749c7b99f08c91b2cf7..37b31d9f0fcc4d5674ce64277a1e28c0f3035712 100644 (file)
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
         lbaint_t delayed_skipfirst = 0;
         lbaint_t delayed_next = 0;
         char *delayed_buf = NULL;
+       char *start_buf = buf;
         short status;
         struct ext_block_cache cache;
  
@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
                         }
                 } else {
                         int n;
+                       int n_left;
                         if (previous_block_number != -1) {
                                 /* spill */
                                 status = ext4fs_devread(delayed_start,
@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
                         }
                         /* Zero no more than `len' bytes. */
                         n = blocksize - skipfirst;
-                       if (n > len)
-                               n = len;
+                       n_left = len - ( buf - start_buf );
+                       if (n > n_left)
+                               n = n_left;
                         memset(buf, 0, n);
                 }
                 buf += blocksize - skipfirst;
author	Paul Emge <paulemge@forallsecure.com>
	Mon, 8 Jul 2019 23:37:07 +0000 (16:37 -0700)
committer	Tom Rini <trini@konsulko.com>
	Thu, 18 Jul 2019 15:31:29 +0000 (11:31 -0400)