1 files changed, 56 insertions, 0 deletions

diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
new file mode 100644
index 0000000000..8e1a1a9943
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
@@ -0,0 +1,56 @@
+From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:07 -0700
+Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
+
+In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
+the destination memory region. This patch adds a check to disallow
+this.
+
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=e205896c5383c938274262524adceb2775fb03ba]
+
+CVE: CVE-2019-13106
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index e2b740cac4..37b31d9f0f 100644
+--- a/fs/ext4/ext4fs.c
++++ b/fs/ext4/ext4fs.c
+@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+ 	lbaint_t delayed_skipfirst = 0;
+ 	lbaint_t delayed_next = 0;
+ 	char *delayed_buf = NULL;
++	char *start_buf = buf;
+ 	short status;
+ 	struct ext_block_cache cache;
+ 
+@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+ 			}
+ 		} else {
+ 			int n;
++			int n_left;
+ 			if (previous_block_number != -1) {
+ 				/* spill */
+ 				status = ext4fs_devread(delayed_start,
+@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+ 			}
+ 			/* Zero no more than `len' bytes. */
+ 			n = blocksize - skipfirst;
+-			if (n > len)
+-				n = len;
++			n_left = len - ( buf - start_buf );
++			if (n > n_left)
++				n = n_left;
+ 			memset(buf, 0, n);
+ 		}
+ 		buf += blocksize - skipfirst;
+-- 
+2.17.1
+