[PATCH 3/3] libfdt: Check fdt_offset_ptr() return value unconditionally
Marek Vasut
marek.vasut at mailbox.org
Thu Nov 20 05:20:16 CET 2025
On 11/14/25 12:34 AM, Simon Glass wrote:
Hello Simon,
>>>> diff --git a/scripts/dtc/libfdt/fdt.c b/scripts/dtc/libfdt/fdt.c
>>>> index 95f644c31f9..d16cc3d4730 100644
>>>> --- a/scripts/dtc/libfdt/fdt.c
>>>> +++ b/scripts/dtc/libfdt/fdt.c
>>>> @@ -168,7 +168,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
>>>>
>>>> *nextoffset = -FDT_ERR_TRUNCATED;
>>>> tagp = fdt_offset_ptr(fdt, offset, FDT_TAGSIZE);
>>>> - if (!can_assume(VALID_DTB) && !tagp)
>>>> + if (!tagp)
>>>> return FDT_END; /* premature end */
>>>> tag = fdt32_to_cpu(*tagp);
>>>> offset += FDT_TAGSIZE;
>>>> @@ -186,7 +186,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
>>>>
>>>> case FDT_PROP:
>>>> lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
>>>> - if (!can_assume(VALID_DTB) && !lenp)
>>>> + if (!lenp)
>>>> return FDT_END; /* premature end */
>>>>
>>>> len = fdt32_to_cpu(*lenp);
>>>> --
>>>> 2.51.0
>>>>
>>>
>>> The can_assume() is there to be respected and helps to reduce code
>>> size. What problem are you actually seeing?
>> fdt_offset_ptr() can return NULL, and it does in test_spl on sandbox if
>> I recall it right, because the U-Boot code passes in offsets which can
>> not be resolved properly and that makes fdt_offset_ptr() return NULL and
>> trigger SIGSEGV when it is dereferenced here.
>
> That sounds like the FDT is corrupt? Here we are parsing through tags,
> so we should really figure out why it is corrupt.
>
> But if note, then we should not be passing bad offsets...so what is
> the root cause of that?
These four [1] [2] [3] [4] supersede this patch.
[1]
https://lore.kernel.org/u-boot/20251120041439.817233-1-marek.vasut+renesas@mailbox.org/
[2]
https://lore.kernel.org/u-boot/20251120041504.817264-1-marek.vasut+renesas@mailbox.org/
[3]
https://lore.kernel.org/u-boot/20251120041526.817288-1-marek.vasut+renesas@mailbox.org/
[4]
https://lore.kernel.org/u-boot/20251120041613.817311-1-marek.vasut+renesas@mailbox.org/
More information about the U-Boot
mailing list