On Fri, Jun 11, 2021 at 12:58:22PM +0100, Andre Przywara wrote:
> The DTB header fields store unsigned values for size and offset, however
> we have a 2 GB limit on the overall size, since we use signed "node"
> offsets everywhere.
>
> As fdt_open_into() is no exception here, check that the advertised DT
> structure size fits in an int, before using that value as an offset into
> a buffer.
>
> Signed-off-by: Andre Przywara <andre.przywara@xxxxxxx>
Hm, I feel like we should probably just call fdt_check_header() from
fdt_open_into() which will make this check, amongst others. In fact
slightly tigher, it will check that struct_end <= totalsize <= INT_MAX.
> ---
> libfdt/fdt_rw.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c
> index a0f03d0..062edcc 100644
> --- a/libfdt/fdt_rw.c
> +++ b/libfdt/fdt_rw.c
> @@ -437,6 +437,8 @@ int fdt_open_into(const void *fdt, void *buf, int bufsize)
>
> if (can_assume(LATEST) || fdt_version(fdt) >= 17) {
> struct_size = fdt_size_dt_struct(fdt);
> + if (!can_assume(VALID_DTB) && struct_size < 0)
> + return -FDT_ERR_NOSPACE;
> } else if (fdt_version(fdt) == 16) {
> struct_size = 0;
> while (fdt_next_tag(fdt, struct_size, &struct_size) != FDT_END)
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
Attachment:
signature.asc
Description: PGP signature
