[PATCH 1/1] boot: fit: validate FDT/DTO payload before fdt_open_into()
Tom Rini
trini at konsulko.com
Mon Feb 23 21:43:57 CET 2026
On Mon, Feb 23, 2026 at 01:40:04PM -0700, James Hilliard wrote:
> boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
> base FDT and overlay DTO blobs loaded from a FIT image.
>
> Those blobs come from FIT payload data. In the overlay path,
> fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
> header check in fit_image_load() is skipped. This leaves fdt_open_into()
> to consume header-derived offsets/sizes from unvalidated input.
>
> Validate the full blob against the payload length first with
> fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
> fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).
>
> Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT copies")
> Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
> Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
Thanks for such a quick response.
Addresses-Coverity-ID: 644638 (TAINTED_SCALAR)
Reviewed-by: Tom Rini <trini at konsulko.com>
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260223/cedccc83/attachment.sig>
More information about the U-Boot
mailing list