[U-Boot] [PATCH] fs: ext4: Prevent erasing buffer past file size

Stefano Babic sbabic at denx.de
Mon Jul 23 12:30:02 UTC 2018 

Hi Marek,

On 23/07/2018 11:42, Marek Vasut wrote:
> The variable 'n' represents the number of bytes to be read from a certain
> offset in a file, to a certain offset in buffer 'buf'. The variable 'len'
> represents the length of the entire file, clamped correctly to avoid any
> overflows.
> 
> Therefore, comparing 'n' and 'len' to determine whether clearing 'n'
> bytes of the buffer 'buf' at a certain offset would clear data past
> buffer 'buf' cannot lead to a correct result, since the 'n' does not
> contain the offset from the beginning of the file.
> 
> This patch keeps track of the amount of data read and checks for the
> buffer overflow by comparing the 'n' to the remaining amount of data
> to be read instead.
> > Signed-off-by: Marek Vasut <marex at denx.de>
> Cc: Ian Ray <ian.ray at ge.com>
> Cc: Martyn Welch <martyn.welch at collabora.co.uk>
> Cc: Stefano Babic <sbabic at denx.de>
> Cc: Tom Rini <trini at konsulko.com>
> Fixes: ecdfb4195b20 ("ext4: recover from filesystem corruption when reading")
> ---
>  fs/ext4/ext4fs.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
> index 2a28031d14..537aa05eff 100644
> --- a/fs/ext4/ext4fs.c
> +++ b/fs/ext4/ext4fs.c
> @@ -60,6 +60,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
>  	lbaint_t delayed_extent = 0;
>  	lbaint_t delayed_skipfirst = 0;
>  	lbaint_t delayed_next = 0;
> +	lbaint_t read_total = 0;
>  	char *delayed_buf = NULL;
>  	short status;
>  
> @@ -140,13 +141,14 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
>  					return -1;
>  				previous_block_number = -1;
>  			}
> -			/* Zero no more than `len' bytes. */
> +			/* Zero no more than 'filesize' bytes. */
>  			n = blocksize - skipfirst;
> -			if (n > len)
> -				n = len;
> +			if (n > (len - read_total))
> +				n = (len - read_total);
>  			memset(buf, 0, n);
>  		}
>  		buf += blocksize - skipfirst;
> +		read_total += blocksize - skipfirst;
>  	}
>  	if (previous_block_number != -1) {
>  		/* spill */
> 

Acked-by: Stefano Babic <sbabic at denx.de>
Tested-by: Stefano Babic <sbabic at denx.de>

Best regards,
Stefano Babic

-- 
=====================================================================
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
=====================================================================

More information about the U-Boot mailing list