[PATCH v2 0/2] fdt_support: validate property lengths in chosen and dma-range fixups
Tom Rini
trini at konsulko.com
Fri Jun 12 03:59:15 CEST 2026
On Tue, 26 May 2026 02:09:13 +0000, Aristo Chen wrote:
> boot/fdt_support.c contains a number of helpers that fix up the kernel
> devicetree handed to the OS during bootm/booti. Several of those
> helpers consume fdt_getprop() results without validating the returned
> length against the per-entry size implied by the surrounding cell-count
> arithmetic. When the OS devicetree is not signature-verified, for
> example an unsigned FIT, a DT loaded from $fdtaddr or $fdtcontroladdr,
> or a DT supplied over a network boot, the property is
> attacker-influenced and the missing checks turn into out-of-bounds
> reads or writes on the FDT blob and on stack buffers.
>
> [...]
Applied to u-boot/next, thanks!
[1/2] fdt_support: bound serialN alias length before copying to stack
commit: ca774b94d66332b6bd033369227ac487ad07d5e8
[2/2] fdt_support: validate dma-ranges length in fdt_get_dma_range
commit: 84e250c0a85a615620a461e0710bb970801fb276
--
Tom
More information about the U-Boot
mailing list