From 3afda967bc78d227b521d945f2ade2475974f1dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Cl=C3=A9ment=20Tosi?= Date: Tue, 26 Jul 2022 15:59:06 +0100 Subject: [PATCH] ANDROID: fuzz: Only check valid phandles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore invalid phandles from fdt_get_phandle(). Update the assert() to avoid false positives, as per the libfdt API: ``` * fdt_node_offset_by_phandle() returns the offset of the node * which has the given phandle value. If there is more than one node * in the tree with the given phandle (an invalid tree), results are * undefined. ``` Bug: 240612647 Test: SANITIZE_HOST=address m libfdt_fuzzer Signed-off-by: Pierre-Clément Tosi Change-Id: Ifbb6a25ab6bd1463afccc88f9756d34c3cf59717 --- fuzzing/libfdt_fuzzer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fuzzing/libfdt_fuzzer.c b/fuzzing/libfdt_fuzzer.c index 98e03c8..89fe3c2 100644 --- a/fuzzing/libfdt_fuzzer.c +++ b/fuzzing/libfdt_fuzzer.c @@ -55,6 +55,9 @@ static void check_mem(const void *mem, size_t len) { #endif } +static bool phandle_is_valid(uint32_t phandle) { + return phandle != 0 && phandle != UINT32_MAX; +} static void walk_device_tree(const void *device_tree, int parent_node) { int len = 0; @@ -64,8 +67,9 @@ static void walk_device_tree(const void *device_tree, int parent_node) { } uint32_t phandle = fdt_get_phandle(device_tree, parent_node); - if (phandle != 0) { - assert(parent_node == fdt_node_offset_by_phandle(device_tree, phandle)); + if (phandle_is_valid(phandle)) { + int node = fdt_node_offset_by_phandle(device_tree, phandle); + assert(node >= 0); // it should at least find parent_node } // recursively walk the node's children