[PATCH v3] lib: fdtdec: validate bloblist FDT before consuming libfdt size

Thu May 7 21:46:28 CEST 2026

Hi Raymond,

thank you for a quick rework!

On Wed, 2026-05-06 at 10:55 -0400, Raymond Mao wrote:
> From: Raymond Mao <raymond.mao at riscstar.com>
> 
> Coverity Scan defects are observed in fdtdec_apply_bloblist_dtos(),
> since the live FDT taken from the bloblist is passed to libfdt helpers
> which consume header size/offset fields:
> - fdt_open_into()
> - fdt_pack()
> 
> Validate the bloblist FDT with fdt_check_full() before calling
> fdt_open_into() and again after applying overlays before calling
> fdt_pack(). This makes the libfdt consumers operate on a checked FDT
> blob while keeping the existing flow unchanged.
> 
> Also normalize libfdt return codes from this path to errno values,
> including the overlay callback path through bloblist_apply_blobs().
> 
> Fixes: b70cbbfbf94f ("fdtdec: apply DT overlays from bloblist")
> Addresses-Coverity-ID: CID 645837: (TAINTED_SCALAR)
> Signed-off-by: Raymond Mao <raymond.mao at riscstar.com>

Reviewed-by: Alexander Sverdlin <alexander.sverdlin at siemens.com>

> ---
> changes in v2:
> - Rebased on master.
> changes in v3:
> - replace the local helper fdtdec_get_valid_fdt_size() with
>   fdt_check_full().
> - remove the check after fdt_pack().
> - add helper to map FDT_ERR to errno, and normalize return codes of
>   fdtdec_apply_dto_blob() and fdtdec_apply_bloblist_dtos().
> 
>  lib/fdtdec.c | 38 +++++++++++++++++++++++++++++++++-----
>  1 file changed, 33 insertions(+), 5 deletions(-)
> 
> diff --git a/lib/fdtdec.c b/lib/fdtdec.c
> index 2d66860f6ed..c67b6e8c133 100644
> --- a/lib/fdtdec.c
> +++ b/lib/fdtdec.c
> @@ -1729,19 +1729,38 @@ static int fdtdec_match_dto_compatible(const void *base, const void *dto)
>  	return 0;
>  }
>  
> +static inline int fdtdec_ret_to_errno(int ret)
> +{
> +	switch (ret) {
> +	case -FDT_ERR_NOTFOUND:
> +		return -ENOENT;
> +	case -FDT_ERR_EXISTS:
> +		return -EEXIST;
> +	case -FDT_ERR_NOSPACE:
> +	case -FDT_ERR_NOPHANDLES:
> +		return -ENOSPC;
> +	default:
> +		return -EINVAL;
> +	}
> +}
> +
>  static int fdtdec_apply_dto_blob(void **blob, __maybe_unused int size)
>  {
>  	int ret;
>  
>  	ret = fdt_check_header(*blob);
>  	if (ret)
> -		return ret;
> +		return fdtdec_ret_to_errno(ret);
>  
>  	ret = fdtdec_match_dto_compatible(gd->fdt_blob, *blob);
>  	if (ret)
>  		return ret;
>  
> -	return fdt_overlay_apply_verbose((void *)gd->fdt_blob, *blob);
> +	ret = fdt_overlay_apply_verbose((void *)gd->fdt_blob, *blob);
> +	if (ret)
> +		return fdtdec_ret_to_errno(ret);
> +
> +	return 0;
>  }
>  
>  static int fdtdec_apply_bloblist_dtos(void)
> @@ -1760,6 +1779,10 @@ static int fdtdec_apply_bloblist_dtos(void)
>  	if (live_fdt != gd->fdt_blob)
>  		return -ENOENT;
>  
> +	ret = fdt_check_full(live_fdt, blob_size);
> +	if (ret)
> +		return fdtdec_ret_to_errno(ret);
> +
>  	/* Calculate the allowed padded size */
>  	padded_size = fdt_totalsize(live_fdt) + CONFIG_SYS_FDT_PAD;
>  	max_size = bloblist_get_total_size() - bloblist_get_size() + blob_size;
> @@ -1772,20 +1795,25 @@ static int fdtdec_apply_bloblist_dtos(void)
>  		if (ret)
>  			return ret;
>  
> +		blob_size = padded_size;
>  		ret = fdt_open_into(live_fdt, live_fdt, padded_size);
>  		if (ret)
> -			return ret;
> +			return fdtdec_ret_to_errno(ret);
>  	}
>  
>  	ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY, fdtdec_apply_dto_blob);
>  	if (ret)
>  		return ret;
>  
> -	/* Shrink the blob to the actual FDT size */
> +	ret = fdt_check_full(live_fdt, blob_size);
> +	if (ret)
> +		return fdtdec_ret_to_errno(ret);
> +
>  	ret = fdt_pack(live_fdt);
>  	if (ret)
> -		return ret;
> +		return fdtdec_ret_to_errno(ret);
>  
> +	/* Shrink the blob to the actual FDT size */
>  	return bloblist_resize(BLOBLISTT_CONTROL_FDT, fdt_totalsize(live_fdt));
>  }
>  

-- 
Alexander Sverdlin
Siemens AG
www.siemens.com