It's always been a design goal of libfdt that it should be safe to use, even on a badly corrupted fdt image. "Safe" here meaning that it should never access memory outside the blob's stated boundaries. The existing code is pretty good about this with regards to accesses to the structure block, thanks to the fdt_offset_ptr() helper function. However, accesses to the strings and memory reservation blocks were less careful and could easily lead to wild pointer dereferences in the case of a bad blob. This series makes a number of improvements to libfdt safety, capping it off with a new fdt_check_full() function which acts like an "fsck" for fdt blobs. Along the way we make some other cleanups. David Gibson (12): libfdt: Clean up header checking functions libfdt: Make fdt_check_header() more thorough libfdt: Safer access to strings section libfdt: Propagate name errors in fdt_getprop_by_offset() libfdt: Safer access to memory reservations Consolidate utilfdt_read_len() variants libfdt: Add fdt_header_size() Use size_t for blob lengths in utilfdt_read* tests: Remove unused #define tests: Better handling of valgrind errors saving blobs tests: Use valgrind client requests for better checking libfdt: Add fdt_check_full() function fdtdump.c | 4 +- fdtget.c | 2 +- fdtoverlay.c | 6 +- fdtput.c | 2 +- libfdt/fdt.c | 76 ++++++++++++++++++- libfdt/fdt_overlay.c | 6 +- libfdt/fdt_ro.c | 183 ++++++++++++++++++++++++++++++++++++++++----- libfdt/fdt_rw.c | 28 +++---- libfdt/fdt_sw.c | 18 ++--- libfdt/libfdt.h | 35 ++++++++- libfdt/libfdt_env.h | 1 + libfdt/libfdt_internal.h | 6 +- libfdt/version.lds | 2 +- tests/.gitignore | 4 + tests/Makefile.tests | 4 +- tests/check_full.c | 63 ++++++++++++++++ tests/check_header.c | 128 +++++++++++++++++++++++++++++++ tests/dumptrees.c | 2 + tests/mangle-layout.c | 8 +- tests/mangle-layout.supp | 7 -- tests/open_pack.supp | 7 -- tests/run_tests.sh | 14 ++++ tests/sw_tree1.supp | 18 ----- tests/testdata.h | 2 + tests/tests.h | 1 + tests/testutils.c | 78 +++++++++++++++++-- tests/trees.S | 46 ++++++++++++ tests/truncated_memrsv.c | 63 ++++++++++++++++ tests/truncated_property.c | 2 + tests/truncated_string.c | 81 ++++++++++++++++++++ util.c | 23 ++---- util.h | 20 +---- 32 files changed, 799 insertions(+), 141 deletions(-) create mode 100644 tests/check_full.c create mode 100644 tests/check_header.c delete mode 100644 tests/mangle-layout.supp delete mode 100644 tests/open_pack.supp delete mode 100644 tests/sw_tree1.supp create mode 100644 tests/truncated_memrsv.c create mode 100644 tests/truncated_string.c -- 2.14.3 -- To unsubscribe from this list: send the line "unsubscribe devicetree-compiler" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
