Needs a check in the device tree

Simon Glass sjg at chromium.org
Thu Jun 6 17:04:22 CEST 2024


Hi Jianqiang,

On Wed, 5 Jun 2024 at 07:40, jianqiang wang <wjq.sec at gmail.com> wrote:
>
> Dear Das U-Boot developers,
>
> I found that the u-boot device tree implementation lacks a check for the
> off_dt_struct field in the device tree.
>
> In file scripts\dtc\libfdt\libfdt_internal.h, fdt_offset_ptr_ returns the
> dt struct address. It calculates the address by adding the header address,
> fdt offset, and a specified offset. However, the fdt offset is read from
> the device tree and lacks a proper check. The returned pointer can even
> point to any address, leading to arbitrary read or write.
>
> Could you please confirm it is a vulnerability?

Doesn't fdt_check_header() help here? Where are you calling the code from?

Regards,
Simon


More information about the U-Boot mailing list