commit 627e3c862147bbb74c4f7712fe32953cdc739436
author Paul Emge <paulemge@forallsecure.com> Mon Jul 08 16:37:07 2019 -0700
committer Tom Rini <trini@konsulko.com> Thu Jul 18 11:31:29 2019 -0400
tree daaeb1cc7f40b50354816318a46735a0d6160fc4
parent 16b19bbb39e62c583f6ba4044d33e8cadd7a1e3d

CVE-2019-13106: ext4: fix out-of-bounds memset

In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
the destination memory region. This patch adds a check to disallow
this.

Signed-off-by: Paul Emge <paulemge@forallsecure.com>

fs/ext4/ext4fs.c

diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index e2b740c..37b31d9 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -61,6 +61,7 @@
 	lbaint_t delayed_skipfirst = 0;
 	lbaint_t delayed_next = 0;
 	char *delayed_buf = NULL;
+	char *start_buf = buf;
 	short status;
 	struct ext_block_cache cache;
 
@@ -139,6 +140,7 @@
 			}
 		} else {
 			int n;
+			int n_left;
 			if (previous_block_number != -1) {
 				/* spill */
 				status = ext4fs_devread(delayed_start,
@@ -153,8 +155,9 @@
 			}
 			/* Zero no more than `len' bytes. */
 			n = blocksize - skipfirst;
-			if (n > len)
-				n = len;
+			n_left = len - ( buf - start_buf );
+			if (n > n_left)
+				n = n_left;
 			memset(buf, 0, n);
 		}
 		buf += blocksize - skipfirst;