1From e205896c5383c938274262524adceb2775fb03ba Mon Sep 17 00:00:00 2001 2From: Paul Emge <paulemge@forallsecure.com> 3Date: Mon, 8 Jul 2019 16:37:07 -0700 4Subject: [PATCH] CVE-2019-13106: ext4: fix out-of-bounds memset 5 6In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of 7the destination memory region. This patch adds a check to disallow 8this. 9 10Signed-off-by: Paul Emge <paulemge@forallsecure.com> 11--- 12 fs/ext4/ext4fs.c | 7 +++++-- 13 1 file changed, 5 insertions(+), 2 deletions(-) 14 15diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c 16index e2b740c..37b31d9 100644 17--- a/fs/ext4/ext4fs.c 18+++ b/fs/ext4/ext4fs.c 19@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, 20 lbaint_t delayed_skipfirst = 0; 21 lbaint_t delayed_next = 0; 22 char *delayed_buf = NULL; 23+ char *start_buf = buf; 24 short status; 25 struct ext_block_cache cache; 26 27@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, 28 } 29 } else { 30 int n; 31+ int n_left; 32 if (previous_block_number != -1) { 33 /* spill */ 34 status = ext4fs_devread(delayed_start, 35@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, 36 } 37 /* Zero no more than `len' bytes. */ 38 n = blocksize - skipfirst; 39- if (n > len) 40- n = len; 41+ n_left = len - ( buf - start_buf ); 42+ if (n > n_left) 43+ n = n_left; 44 memset(buf, 0, n); 45 } 46 buf += blocksize - skipfirst; 47-- 481.9.1 49 50