[PATCH v1 1/3] fdt_support: bound serialN alias length before copying to stack

[Aristo Chen]

fdt_fixup_stdout() reads the path stored in /aliases/serialN with
fdt_getprop() and then memcpys it into a fixed 256-byte stack buffer.
The length returned by libfdt is the raw on-disk property size and is
not bounded by any console-path convention, so an oversized property
in a malformed or untrusted devicetree overflows the buffer with
attacker-controlled length and contents. The "/* long enough */"
comment next to tmp[] codifies an unchecked assumption.

Reject lengths that exceed sizeof(tmp) with a warning and return
-FDT_ERR_NOSPACE. The fixup runs during fdt_chosen() on every booted
kernel when CONFIG_OF_STDOUT_VIA_ALIAS is enabled, and when the OS
devicetree is not signature-verified the property is reachable from an
attacker-influenced blob.

Signed-off-by: Aristo Chen <aristo.chen at canonical.com>
---
 boot/fdt_support.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/boot/fdt_support.c b/boot/fdt_support.c
index 1c215e548db..3e9445603ff 100644
--- a/boot/fdt_support.c
+++ b/boot/fdt_support.c
@@ -160,6 +160,12 @@ static int fdt_fixup_stdout(void *fdt, int chosenoff)
 		goto noalias;
 	}
 
+	if (len > (int)sizeof(tmp)) {
+		printf("WARNING: %s: %s alias path too long (%d bytes)\n",
+		       __func__, sername, len);
+		return -FDT_ERR_NOSPACE;
+	}
+
 	/* fdt_setprop may break "path" so we copy it to tmp buffer */
 	memcpy(tmp, path, len);
 
-- 
2.43.0