diff options
author | Pierre-Clément Tosi <ptosi@google.com> | 2023-10-11 18:24:27 +0100 |
---|---|---|
committer | Pierre-Clément Tosi <ptosi@google.com> | 2023-10-11 18:33:22 +0100 |
commit | 0493daab327ef269a7ab6a8ab61fae15f92e7666 (patch) | |
tree | c64dcdfa55d463b755cabb62b91822fd6a5b0cf4 | |
parent | cbfd232da37f480bf3abcba01e16e44306149d45 (diff) | |
download | dtc-0493daab327ef269a7ab6a8ab61fae15f92e7666.tar.gz |
FROMLIST: libdft: fdt_next_tag: Harden offset overflow check
As 'offset' is obtained through various paths within the function by
adding user-provided values to 'startoffset' and as we validate its
final value by substracting it from the initial one, there is a risk
that one of the paths might have lead to an overflow, making the check
validate a "negative" (wrong) length, potentially causing fdt_next_tag()
to report an invalid offset as valid through 'nextoffset'.
For example, when parsing an FDT_PROP, we currently validate that
offset = startoffset + len + FDT_TAGSIZE
doesn't overflow but then assign
offset = startoffset + len + sizeof(struct fdt_property)
so harden all paths by validating the offset in the very last check.
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
(am from https://lore.kernel.org/devicetree-compiler/20231011172427.g4tlsew3wsjtddil@google.com/)
Test: N/A
Change-Id: I0b17b0827ccc0ece0a2d1795b388408fb599aed7
-rw-r--r-- | libfdt/fdt.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libfdt/fdt.c b/libfdt/fdt.c index 13b4b9b..b8ffb33 100644 --- a/libfdt/fdt.c +++ b/libfdt/fdt.c @@ -216,7 +216,8 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) return FDT_END; } - if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset)) + if (!can_assume(VALID_DTB) && (offset <= startoffset + || !fdt_offset_ptr(fdt, startoffset, offset - startoffset))) return FDT_END; /* premature end */ *nextoffset = FDT_TAGALIGN(offset); |