From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefano Babic Date: Mon, 23 Jul 2018 14:30:02 +0200 Subject: [U-Boot] [PATCH] fs: ext4: Prevent erasing buffer past file size In-Reply-To: <20180723094212.3031-1-marex@denx.de> References: <20180723094212.3031-1-marex@denx.de> Message-ID: <976d5ec4-a5ce-07d0-1488-714111cabacc@denx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Marek, On 23/07/2018 11:42, Marek Vasut wrote: > The variable 'n' represents the number of bytes to be read from a certain > offset in a file, to a certain offset in buffer 'buf'. The variable 'len' > represents the length of the entire file, clamped correctly to avoid any > overflows. > > Therefore, comparing 'n' and 'len' to determine whether clearing 'n' > bytes of the buffer 'buf' at a certain offset would clear data past > buffer 'buf' cannot lead to a correct result, since the 'n' does not > contain the offset from the beginning of the file. > > This patch keeps track of the amount of data read and checks for the > buffer overflow by comparing the 'n' to the remaining amount of data > to be read instead. > > Signed-off-by: Marek Vasut > Cc: Ian Ray > Cc: Martyn Welch > Cc: Stefano Babic > Cc: Tom Rini > Fixes: ecdfb4195b20 ("ext4: recover from filesystem corruption when reading") > --- > fs/ext4/ext4fs.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c > index 2a28031d14..537aa05eff 100644 > --- a/fs/ext4/ext4fs.c > +++ b/fs/ext4/ext4fs.c > @@ -60,6 +60,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, > lbaint_t delayed_extent = 0; > lbaint_t delayed_skipfirst = 0; > lbaint_t delayed_next = 0; > + lbaint_t read_total = 0; > char *delayed_buf = NULL; > short status; > > @@ -140,13 +141,14 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, > return -1; > previous_block_number = -1; > } > - /* Zero no more than `len' bytes. */ > + /* Zero no more than 'filesize' bytes. */ > n = blocksize - skipfirst; > - if (n > len) > - n = len; > + if (n > (len - read_total)) > + n = (len - read_total); > memset(buf, 0, n); > } > buf += blocksize - skipfirst; > + read_total += blocksize - skipfirst; > } > if (previous_block_number != -1) { > /* spill */ > Acked-by: Stefano Babic Tested-by: Stefano Babic Best regards, Stefano Babic -- ===================================================================== DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de =====================================================================