[U-Boot] [PATCH] fdt: Fix string property comparison overflow
Peter Robinson
pbrobinson at gmail.com
Mon Jun 4 05:42:28 UTC 2018
On Mon, Jun 4, 2018 at 1:22 AM, Teddy Reed <teddy.reed at gmail.com> wrote:
> FDT property searching can overflow when comparing strings. This will
> result in undefined behavior.
>
> This check assures that property name lengths do not overrun the string
> region or the totalsize.
The lib/libfdt is mostly a sync from upstream dtc [1] so I suspect
it's a problem there too and should probably sent and accepted there
and it'll then be pulled back in a resync.
Peter
[1] https://git.kernel.org/pub/scm/utils/dtc/dtc.git
> Signed-off-by: Teddy Reed <teddy.reed at gmail.com>
> ---
> lib/libfdt/fdt_ro.c | 5 +++++
> scripts/dtc/libfdt/fdt.c | 2 ++
> 2 files changed, 7 insertions(+)
>
> diff --git a/lib/libfdt/fdt_ro.c b/lib/libfdt/fdt_ro.c
> index b6ca4e0..612f3ac 100644
> --- a/lib/libfdt/fdt_ro.c
> +++ b/lib/libfdt/fdt_ro.c
> @@ -42,6 +42,11 @@ const char *fdt_string(const void *fdt, int stroffset)
> static int _fdt_string_eq(const void *fdt, int stroffset,
> const char *s, int len)
> {
> + int total_off = fdt_off_dt_strings(fdt) + stroffset;
> + if (total_off + len + 1 < total_off ||
> + total_off + len + 1 > fdt_totalsize(fdt))
> + return 0;
> +
> const char *p = fdt_string(fdt, stroffset);
>
> return (strnlen(p, len + 1) == len) && (memcmp(p, s, len) == 0);
> diff --git a/scripts/dtc/libfdt/fdt.c b/scripts/dtc/libfdt/fdt.c
> index 7855a17..dffd28d 100644
> --- a/scripts/dtc/libfdt/fdt.c
> +++ b/scripts/dtc/libfdt/fdt.c
> @@ -57,6 +57,8 @@
>
> int fdt_check_header(const void *fdt)
> {
> + if (fdt == NULL)
> + return -FDT_ERR_BADSTRUCTURE;
> if (fdt_magic(fdt) == FDT_MAGIC) {
> /* Complete tree */
> if (fdt_version(fdt) < FDT_FIRST_SUPPORTED_VERSION)
> --
> 2.7.4
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
More information about the U-Boot
mailing list