Needs a check in the device tree

jianqiang wang wjq.sec at gmail.com
Wed Jun 5 15:40:36 CEST 2024


Dear Das U-Boot developers,

I found that the u-boot device tree implementation lacks a check for the
off_dt_struct field in the device tree.

In file scripts\dtc\libfdt\libfdt_internal.h, fdt_offset_ptr_ returns the
dt struct address. It calculates the address by adding the header address,
fdt offset, and a specified offset. However, the fdt offset is read from
the device tree and lacks a proper check. The returned pointer can even
point to any address, leading to arbitrary read or write.

Could you please confirm it is a vulnerability?

best regards
Jianqiang


More information about the U-Boot mailing list