[PATCH 1/1] armv8: sec_firmware: validate loadables string list

Josh Law josh2 at disroot.org
Sat May 23 14:18:00 CEST 2026 

sec_firmware_check_copy_loadable() walks the loadables property by hand
and treats each entry as a C string. If a malformed property is missing
the trailing NUL inside its length, strchr() can read past the property
while looking for the end of the entry.

Use libfdt string list helpers for the walk. Missing loadables still
means there is nothing to copy, and malformed loadables now fail before
use.

Signed-off-by: Josh Law <josh2 at disroot.org>
---
 arch/arm/cpu/armv8/sec_firmware.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/arch/arm/cpu/armv8/sec_firmware.c b/arch/arm/cpu/armv8/sec_firmware.c
index 44372cbe4a1..8c31fd19399 100644
--- a/arch/arm/cpu/armv8/sec_firmware.c
+++ b/arch/arm/cpu/armv8/sec_firmware.c
@@ -86,8 +86,8 @@ static int sec_firmware_check_copy_loadable(const void *sec_firmware_img,
 	const void *data;
 	size_t size;
 	ulong load;
-	const char *name, *str, *type;
-	int len;
+	const char *str, *type;
+	int count, i, len;
 
 	conf_node_off = fit_conf_get_node(sec_firmware_img, NULL);
 	if (conf_node_off < 0) {
@@ -104,16 +104,28 @@ static int sec_firmware_check_copy_loadable(const void *sec_firmware_img,
 
 	type = FIT_LOADABLE_PROP;
 
-	name = fdt_getprop(sec_firmware_img, conf_node_off, type, &len);
-	if (!name) {
+	count = fdt_stringlist_count(sec_firmware_img, conf_node_off, type);
+	if (count == -FDT_ERR_NOTFOUND) {
 		/* Loadables not present */
 		return 0;
 	}
+	if (count < 0) {
+		printf("SEC Firmware: invalid '%s' property: %s\n", type,
+		       fdt_strerror(count));
+		return -EINVAL;
+	}
 
 	printf("SEC Firmware: '%s' present in config\n", type);
 
-	for (str = name; str && ((str - name) < len);
-	     str = strchr(str, '\0') + 1) {
+	for (i = 0; i < count; i++) {
+		str = fdt_stringlist_get(sec_firmware_img, conf_node_off, type,
+					 i, &len);
+		if (!str) {
+			printf("SEC Firmware: can't read '%s' entry %d: %s\n",
+			       type, i, fdt_strerror(len));
+			return -EINVAL;
+		}
+
 		printf("%s: '%s'\n", type, str);
 		ld_node_off = fdt_subnode_offset(sec_firmware_img, images, str);
 		if (ld_node_off < 0) {
-- 
2.47.3

More information about the U-Boot mailing list