On Sun, Jan 03, 2016 at 08:32:49PM +1100, David Gibson wrote: > On Sun, Jan 03, 2016 at 08:43:35AM +1100, Anton Blanchard wrote: > > We have a couple of checks of the form: > > > > if (offset+size > totalsize) > > die(); > > > > We need to check that offset+size doesn't overflow, otherwise the check > > will pass, and we may access past totalsize. > > > > Found with AFL. > > > > Signed-off-by: Anton Blanchard <anton@xxxxxxxxx> > > --- > > > > I've attached an example device tree, do we want to add binary blobs > > to the test suite? > > I've generally avoided it, but I forget exactly why. Usually I try to > generate the testcases as dts and compile them, but I'm guessing this dtb is > something that shouldn't be possible as good output from dtc. > > It would be possible to construct it from test/trees.S, but just > including the binary blob might be simpler. > > Certainly I would like to include this testcase into the testsuite, > one way or another. I finally sorted this out and added this fix, plus a testcase to the tree. Btw, do you have the scripts you used to run AFL on dtc? I'd love to try it myself. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
Attachment:
signature.asc
Description: PGP signature
