Needs a check in the device tree
jianqiang wang
wjq.sec at gmail.com
Thu Jun 6 23:16:13 CEST 2024
hi Simon,
yes, you are right, I forgot to call this checking function, thanks!
Best regards
Jianqiang
Simon Glass <sjg at chromium.org> 于2024年6月6日周四 17:04写道:
> Hi Jianqiang,
>
> On Wed, 5 Jun 2024 at 07:40, jianqiang wang <wjq.sec at gmail.com> wrote:
> >
> > Dear Das U-Boot developers,
> >
> > I found that the u-boot device tree implementation lacks a check for the
> > off_dt_struct field in the device tree.
> >
> > In file scripts\dtc\libfdt\libfdt_internal.h, fdt_offset_ptr_ returns the
> > dt struct address. It calculates the address by adding the header
> address,
> > fdt offset, and a specified offset. However, the fdt offset is read from
> > the device tree and lacks a proper check. The returned pointer can even
> > point to any address, leading to arbitrary read or write.
> >
> > Could you please confirm it is a vulnerability?
>
> Doesn't fdt_check_header() help here? Where are you calling the code from?
>
> Regards,
> Simon
>
More information about the U-Boot
mailing list