diff options
author | Tadeusz Struk <tadeusz.struk@linaro.org> | 2022-10-05 16:29:30 -0700 |
---|---|---|
committer | Pierre-Clément Tosi <ptosi@google.com> | 2023-10-11 18:33:18 +0100 |
commit | cbfd232da37f480bf3abcba01e16e44306149d45 (patch) | |
tree | 91377a7cc8b1b8892d7084aab2190a0f86b4696e | |
parent | bb2b54f19e202d5781ec6c05b3d584fcd85cddcc (diff) | |
download | dtc-cbfd232da37f480bf3abcba01e16e44306149d45.tar.gz |
FROMGIT: libfdt: prevent integer overflow in fdt_next_tag
Since fdt_next_tag() in a public API function all input parameters,
including the fdt blob should not be trusted. It is possible to forge
a blob with invalid property length that will cause integer overflow
during offset calculation. To prevent that, validate the property length
read from the blob before doing calculations.
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Message-Id: <20221005232931.3016047-1-tadeusz.struk@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
(cherry-picked from commit 73590342fc85ca207ca1e6cbc110179873a96962 git://git.kernel.org/pub/scm/utils/dtc/dtc.git main)
Test: N/A
Change-Id: I894051ed101255800717001a71a5a74ac66fd897
-rw-r--r-- | libfdt/fdt.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/libfdt/fdt.c b/libfdt/fdt.c index 9fe7cf4..13b4b9b 100644 --- a/libfdt/fdt.c +++ b/libfdt/fdt.c @@ -165,7 +165,7 @@ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len) uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) { const fdt32_t *tagp, *lenp; - uint32_t tag; + uint32_t tag, len, sum; int offset = startoffset; const char *p; @@ -191,12 +191,19 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); if (!can_assume(VALID_DTB) && !lenp) return FDT_END; /* premature end */ + + len = fdt32_to_cpu(*lenp); + sum = len + offset; + if (!can_assume(VALID_DTB) && + (INT_MAX <= sum || sum < (uint32_t) offset)) + return FDT_END; /* premature end */ + /* skip-name offset, length and value */ - offset += sizeof(struct fdt_property) - FDT_TAGSIZE - + fdt32_to_cpu(*lenp); + offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len; + if (!can_assume(LATEST) && - fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 && - ((offset - fdt32_to_cpu(*lenp)) % 8) != 0) + fdt_version(fdt) < 0x10 && len >= 8 && + ((offset - len) % 8) != 0) offset += 4; break; |