Needs a check in the device tree

jianqiang wang wjq.sec at gmail.com
Thu Jun 6 23:16:13 CEST 2024


hi Simon,

yes, you are right, I forgot to call this checking function, thanks!

Best regards
Jianqiang

Simon Glass <sjg at chromium.org> 于2024年6月6日周四 17:04写道:

> Hi Jianqiang,
>
> On Wed, 5 Jun 2024 at 07:40, jianqiang wang <wjq.sec at gmail.com> wrote:
> >
> > Dear Das U-Boot developers,
> >
> > I found that the u-boot device tree implementation lacks a check for the
> > off_dt_struct field in the device tree.
> >
> > In file scripts\dtc\libfdt\libfdt_internal.h, fdt_offset_ptr_ returns the
> > dt struct address. It calculates the address by adding the header
> address,
> > fdt offset, and a specified offset. However, the fdt offset is read from
> > the device tree and lacks a proper check. The returned pointer can even
> > point to any address, leading to arbitrary read or write.
> >
> > Could you please confirm it is a vulnerability?
>
> Doesn't fdt_check_header() help here? Where are you calling the code from?
>
> Regards,
> Simon
>


More information about the U-Boot mailing list