mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 15:57:04 +00:00
205069a9e8
Add 9 patches to fix below CVE issues. CVE-2019-13103 CVE-2019-13104 CVE-2019-13105 CVE-2019-13106 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14199 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 (From OE-Core rev: db22dbe158dcb2298bfd74ff6cbba31f67488035) Signed-off-by: Meng Li <Meng.Li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
50 lines
1.4 KiB
Diff
50 lines
1.4 KiB
Diff
From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001
|
|
From: Paul Emge <paulemge@forallsecure.com>
|
|
Date: Mon, 8 Jul 2019 16:37:05 -0700
|
|
Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in
|
|
ext4fs_read_file
|
|
|
|
in ext4fs_read_file, it is possible for a broken/malicious file
|
|
system to cause a memcpy of a negative number of bytes, which
|
|
overflows all memory. This patch fixes the issue by checking for
|
|
a negative length.
|
|
|
|
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
|
|
|
|
Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
|
|
h=878269dbe74229005dd7f27aca66c554e31dad8e]
|
|
|
|
CVE: CVE-2019-13104
|
|
|
|
Signed-off-by: Meng Li <Meng.Li@windriver.com>
|
|
---
|
|
fs/ext4/ext4fs.c | 8 +++++---
|
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
|
|
index 26db677a1f..c8c8655ed8 100644
|
|
--- a/fs/ext4/ext4fs.c
|
|
+++ b/fs/ext4/ext4fs.c
|
|
@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
|
|
|
|
ext_cache_init(&cache);
|
|
|
|
- if (blocksize <= 0)
|
|
- return -1;
|
|
-
|
|
/* Adjust len so it we can't read past the end of the file. */
|
|
if (len + pos > filesize)
|
|
len = (filesize - pos);
|
|
|
|
+ if (blocksize <= 0 || len <= 0) {
|
|
+ ext_cache_fini(&cache);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
|
|
|
|
for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
|
|
--
|
|
2.17.1
|
|
|