diff options
author | Paul Emge <paulemge@forallsecure.com> | 2019-07-08 16:37:05 -0700 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2019-07-18 11:31:29 -0400 |
commit | 878269dbe74229005dd7f27aca66c554e31dad8e (patch) | |
tree | 1cfc04f11647a0a0a5012195205acc33066b8830 | |
parent | 6e5a79de658cb1c8012c86e0837379aa6eabd024 (diff) |
CVE-2019-13104: ext4: check for underflow in ext4fs_read_file
in ext4fs_read_file, it is possible for a broken/malicious file
system to cause a memcpy of a negative number of bytes, which
overflows all memory. This patch fixes the issue by checking for
a negative length.
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
-rw-r--r-- | fs/ext4/ext4fs.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c index 85dc122f30..e2b740cac4 100644 --- a/fs/ext4/ext4fs.c +++ b/fs/ext4/ext4fs.c @@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, ext_cache_init(&cache); - if (blocksize <= 0) - return -1; - /* Adjust len so it we can't read past the end of the file. */ if (len + pos > filesize) len = (filesize - pos); + if (blocksize <= 0 || len <= 0) { + ext_cache_fini(&cache); + return -1; + } + blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize); for (i = lldiv(pos, blocksize); i < blockcnt; i++) { |