Hello Abdelrahman,
Thanks for your patch.
On 12.11.24 13:54, Abdelrahman Youssef wrote:
> while parsing the fdt header, the name of the begining node marked by
> FDT_BEGIN_NODE that is part of the struct block moves out of the block
> that results in heap-overflow.
>
> So this patch checks if the length of name (maxlen) + the offset of
> the struct block exceeds the size of the whole block.
>
> Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx>
> ---
> drivers/of/fdt.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 2c3ea31394..7dc8ee2529 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -210,6 +210,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
> maxlen = (unsigned long)fdt + f.off_dt_struct +
> f.size_dt_struct - (unsigned long)name;
>
> + if (maxlen + f.off_dt_struct > f.size_dt_struct) {
This looks wrong:
- f.off_dt_struct is the offset in bytes of the struct area relative to
the start of the FDT
- f.size_dt_struct is the size of the struct area, i.e. the first byte
after the struct area and it does _not_ include the offset.
It doesn't make sense to subtract the size from the offset.
I have looked into it a little deeper now and I believe the root cause is
an integer overflow; if name _starts_ after the end of the struct area,
the computation for maxlen will result in a negative number and that
negative number would wrap around to a very big positive number.
We should change maxlen to be a (signed) int and return an error if
it becomes negative. Can you verify that fixes the issue and send a patch?
Cheers,
Ahmad
> + ret = -ESPIPE;
> + goto err;
> + }
> +
> len = strnlen(name, maxlen + 1);
> if (len > maxlen) {
> ret = -ESPIPE;
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
