[PATCH] boot: Check noffset before use

Fri Nov 21 12:43:32 CET 2025

Am 20. November 2025 05:15:30 MEZ schrieb Marek Vasut <marek.vasut+renesas at mailbox.org>:
>If noffset is negative, do not pass it to fit_get_name() and then further to
>libfdt, this will crash sandbox with SIGSEGV because libfdt can not handle
>negative node offsets without full tree check, which U-Boot inhibits to keep
>size lower.
>
>Instead, always check noffset before use, and if the return value indicates
>failure, exit right away.
>
>Signed-off-by: Marek Vasut <marek.vasut+renesas at mailbox.org>


Acked-by: Heinrich Schuchardt <xypron.glpk at gmx.de>

>---
>Cc: Heinrich Schuchardt <xypron.glpk at gmx.de>
>Cc: Quentin Schulz <quentin.schulz at cherry.de>
>Cc: Simon Glass <sjg at chromium.org>
>Cc: Tom Rini <trini at konsulko.com>
>Cc: Wolfgang Wallner <wolfgang.wallner at br-automation.com>
>Cc: u-boot at lists.denx.de
>---
> boot/image-fit.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/boot/image-fit.c b/boot/image-fit.c
>index cccaa48f683..35595f15ac3 100644
>--- a/boot/image-fit.c
>+++ b/boot/image-fit.c
>@@ -2137,7 +2137,6 @@ int fit_image_load(struct bootm_headers *images, ulong addr,
> 
> 		noffset = fit_conf_get_prop_node(fit, cfg_noffset, prop_name,
> 						 image_ph_phase(ph_type));
>-		fit_uname = fit_get_name(fit, noffset, NULL);
> 	}
> 	if (noffset < 0) {
> 		printf("Could not find subimage node type '%s'\n", prop_name);
>@@ -2145,6 +2144,9 @@ int fit_image_load(struct bootm_headers *images, ulong addr,
> 		return -ENOENT;
> 	}
> 
>+	if (!fit_uname)
>+		fit_uname = fit_get_name(fit, noffset, NULL);
>+
> 	printf("   Trying '%s' %s subimage\n", fit_uname, prop_name);
> 
> 	ret = fit_image_select(fit, noffset, images->verify);