Hi Abdelrahman, just a remark, nothing wrong with your patch On November 14, 2024 4:51:14 PM GMT+01:00, Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx> wrote: >While fuzzing, the name marked by FDT_BEGIN_NODE sometimes extends beyond >the struct block area, causing a heap-overflow. > >Since `maxlen` is an unsigned integer representing the length of name, >It can be negative, so it overflows to large numbers, Causing strnlen() >to overflow. > >So we can just change the type of maxlen to signed and check if it's a >non-positive value, because name has a minimum length of 1 byte ('\0'). > >Also in strnlen() we shouldn't check for bytes exceeding maxlen, so we can remove >+ 1 in strnlen(). We also change if (len > maxlen) to >= to count for the null >terminator. > >Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx> > >--- >v3 -> v4: > - replace maxlen < 0 to maxlen <= 0 (Sascha) > - remove + 1 in strnlen() (Sascha) >v2 -> v3 > - changed formatting >v1 -> v2 > - the overflow was due to integer overflow not out-of-bounds (Ahmad) >--- > drivers/of/fdt.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > >diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c >index 2c3ea31394..75af1844f3 100644 >--- a/drivers/of/fdt.c >+++ b/drivers/of/fdt.c >@@ -176,7 +176,7 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size, > void *dt_strings; > struct fdt_header f; > int ret; >- unsigned int maxlen; >+ int maxlen; > const struct fdt_header *fdt = infdt; > > ret = fdt_parse_header(infdt, size, &f); >@@ -210,8 +210,13 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size, > maxlen = (unsigned long)fdt + f.off_dt_struct + > f.size_dt_struct - (unsigned long)name; > >- len = strnlen(name, maxlen + 1); >- if (len > maxlen) { >+ if (maxlen <= 0) { >+ ret = -ESPIPE; >+ goto err; >+ } >+ >+ len = strnlen(name, maxlen); >+ if (len >= maxlen) { here len cannot exceed maxlen, but if len == maxlen this means that there is not nul-byte in the name array (up to maxlen). by not passing maxlen + 1 there is a slight behavior change but i don't know if this an issus or not. in the previous case strnlen could read one past maxlen which is suspicious (maybe a bug) > ret = -ESPIPE; > goto err; > }