On 11 April 2018 at 22:52, David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> wrote: > fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their > parameters, or the memory reserve section offset in the header. That means > that on a corrupted blob they could access outside of the range of memory > that they should. > > This improves their safety checking, meaning they shouldn't access outside > the blob's bounds, even if its contents are badly corrupted. > > Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> > --- > libfdt/fdt_ro.c | 33 ++++++++++++++++++++----- > tests/.gitignore | 1 + > tests/Makefile.tests | 2 +- > tests/run_tests.sh | 1 + > tests/testdata.h | 1 + > tests/trees.S | 20 +++++++++++++++ > tests/truncated_memrsv.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++ > 7 files changed, 114 insertions(+), 7 deletions(-) > create mode 100644 tests/truncated_memrsv.c > Reviewed-by: Simon Glass <sjg@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe devicetree-compiler" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
