FROMLIST: libdft: fdt_next_tag: Harden offset overflow check
As 'offset' is obtained through various paths within the function by
adding user-provided values to 'startoffset' and as we validate its
final value by substracting it from the initial one, there is a risk
that one of the paths might have lead to an overflow, making the check
validate a "negative" (wrong) length, potentially causing fdt_next_tag()
to report an invalid offset as valid through 'nextoffset'.
For example, when parsing an FDT_PROP, we currently validate that
offset = startoffset + len + FDT_TAGSIZE
doesn't overflow but then assign
offset = startoffset + len + sizeof(struct fdt_property)
so harden all paths by validating the offset in the very last check.
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
(am from https://lore.kernel.org/devicetree-compiler/20231011172427.g4tlsew3wsjtddil@google.com/)
Test: N/A
Change-Id: I0b17b0827ccc0ece0a2d1795b388408fb599aed7
This commit is contained in:
Pierre-Clément Tosi
parent
cbfd232da3
commit
0493daab32
1 changed files with 2 additions and 1 deletions
|
|
@ -216,7 +216,8 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
|
||||||
return FDT_END;
|
return FDT_END;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
|
if (!can_assume(VALID_DTB) && (offset <= startoffset
|
||||||
|
|| !fdt_offset_ptr(fdt, startoffset, offset - startoffset)))
|
||||||
return FDT_END; /* premature end */
|
return FDT_END; /* premature end */
|
||||||
|
|
||||||
*nextoffset = FDT_TAGALIGN(offset);
|
*nextoffset = FDT_TAGALIGN(offset);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue