[U-Boot] [PATCH 4/5] ext4: gracefully fail on divide-by-0
This patch checks for 0 in several ext4 headers and gracefully fails instead of raising a divide-by-0 exception. Signed-off-by: Paul Emge --- fs/ext4/ext4_common.c | 12 1 file changed, 12 insertions(+) diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c index 464c33d0d7..0d15e0c3cd 100644 --- a/fs/ext4/ext4_common.c +++ b/fs/ext4/ext4_common.c @@ -1571,8 +1571,12 @@ static int ext4fs_blockgroup int log2blksz = get_fs()->dev_desc->log2blksz; int desc_size = get_fs()->gdsize; + if (desc_size == 0) + return 0; desc_per_blk = EXT2_BLOCK_SIZE(data) / desc_size; + if (desc_per_blk == 0) + return 0; blkno = le32_to_cpu(data->sblock.first_data_block) + 1 + group / desc_per_blk; blkoff = (group % desc_per_blk) * desc_size; @@ -1602,6 +1606,10 @@ int ext4fs_read_inode(struct ext2_data *data, int ino, struct ext2_inode *inode) /* It is easier to calculate if the first inode is 0. */ ino--; + if ( le32_to_cpu(sblock->inodes_per_group) == 0 || fs->inodesz == 0) { + free(blkgrp); + return 0; + } status = ext4fs_blockgroup(data, ino / le32_to_cpu (sblock->inodes_per_group), blkgrp); if (status == 0) { @@ -1610,6 +1618,10 @@ int ext4fs_read_inode(struct ext2_data *data, int ino, struct ext2_inode *inode) } inodes_per_block = EXT2_BLOCK_SIZE(data) / fs->inodesz; + if ( inodes_per_block == 0 ) { + free(blkgrp); + return 0; + } blkno = ext4fs_bg_get_inode_table_id(blkgrp, fs) + (ino % le32_to_cpu(sblock->inodes_per_group)) / inodes_per_block; blkoff = (ino % inodes_per_block) * fs->inodesz; -- 2.20.1 ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
[U-Boot] [PATCH 5/5] CVE-2019-13106: ext4: fix out-of-bounds memset
In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of the destination memory region. This patch adds a check to disallow this. Signed-off-by: Paul Emge --- fs/ext4/ext4fs.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c index e2b740cac4..37b31d9f0f 100644 --- a/fs/ext4/ext4fs.c +++ b/fs/ext4/ext4fs.c @@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, lbaint_t delayed_skipfirst = 0; lbaint_t delayed_next = 0; char *delayed_buf = NULL; + char *start_buf = buf; short status; struct ext_block_cache cache; @@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, } } else { int n; + int n_left; if (previous_block_number != -1) { /* spill */ status = ext4fs_devread(delayed_start, @@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, } /* Zero no more than `len' bytes. */ n = blocksize - skipfirst; - if (n > len) - n = len; + n_left = len - ( buf - start_buf ); + if (n > n_left) + n = n_left; memset(buf, 0, n); } buf += blocksize - skipfirst; -- 2.20.1 ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
[U-Boot] [PATCH 3/5] CVE-2019-13104: ext4: check for underflow in ext4fs_read_file
in ext4fs_read_file, it is possible for a broken/malicious file system to cause a memcpy of a negative number of bytes, which overflows all memory. This patch fixes the issue by checking for a negative length. Signed-off-by: Paul Emge --- fs/ext4/ext4fs.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c index 85dc122f30..e2b740cac4 100644 --- a/fs/ext4/ext4fs.c +++ b/fs/ext4/ext4fs.c @@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, ext_cache_init(&cache); - if (blocksize <= 0) - return -1; - /* Adjust len so it we can't read past the end of the file. */ if (len + pos > filesize) len = (filesize - pos); + if (blocksize <= 0 || len <= 0) { + ext_cache_fini(&cache); + return -1; + } + blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize); for (i = lldiv(pos, blocksize); i < blockcnt; i++) { -- 2.20.1 ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
[U-Boot] [PATCH 2/5] CVE-2019-13105: ext4: fix double-free in ext4_cache_read
ext_cache_read doesn't null cache->buf, after freeing, which results in a later function double-freeing it. This patch fixes ext_cache_read to call ext_cache_fini instead of free. Signed-off-by: Paul Emge --- fs/ext4/ext4fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c index 26db677a1f..85dc122f30 100644 --- a/fs/ext4/ext4fs.c +++ b/fs/ext4/ext4fs.c @@ -286,7 +286,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size) if (!cache->buf) return 0; if (!ext4fs_devread(block, 0, size, cache->buf)) { - free(cache->buf); + ext_cache_fini(cache); return 0; } cache->block = block; -- 2.20.1 ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
[U-Boot] [PATCH 1/5] CVE-2019-13103: disk: stop infinite recursion in DOS Partitions
part_get_info_extended and print_partition_extended can recurse infinitely while parsing a self-referential filesystem or one with a silly number of extended partitions. This patch adds a limit to the number of recursive partitions. Signed-off-by: Paul Emge --- disk/part_dos.c | 18 ++ 1 file changed, 18 insertions(+) diff --git a/disk/part_dos.c b/disk/part_dos.c index 936cee0d36..aae9d95906 100644 --- a/disk/part_dos.c +++ b/disk/part_dos.c @@ -23,6 +23,10 @@ #define DOS_PART_DEFAULT_SECTOR 512 +/* should this be configurable? It looks like it's not very common at all + * to use large numbers of partitions */ +#define MAX_EXT_PARTS 256 + /* Convert char[4] in little endian format to the host format integer */ static inline unsigned int le32_to_int(unsigned char *le32) @@ -126,6 +130,13 @@ static void print_partition_extended(struct blk_desc *dev_desc, dos_partition_t *pt; int i; + /* set a maximum recursion level */ + if (part_num > MAX_EXT_PARTS) + { + printf("** Nested DOS partitions detected, stopping **\n"); + return; +} + if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) { printf ("** Can't read partition table on %d:" LBAFU " **\n", dev_desc->devnum, ext_part_sector); @@ -191,6 +202,13 @@ static int part_get_info_extended(struct blk_desc *dev_desc, int i; int dos_type; + /* set a maximum recursion level */ + if (part_num > MAX_EXT_PARTS) + { + printf("** Nested DOS partitions detected, stopping **\n"); + return -1; +} + if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) { printf ("** Can't read partition table on %d:" LBAFU " **\n", dev_desc->devnum, ext_part_sector); -- 2.20.1 ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot