Re: [PATCH v4] of: fdt: fix possible overflow during parsing of fdt

Jules Maselbas <jmaselbas@xxxxxxxx> · Thu, 14 Nov 2024 17:39:16 +0100



Hi Abdelrahman,
just a remark, nothing wrong with your patch

On November 14, 2024 4:51:14 PM GMT+01:00, Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx> wrote:
>While fuzzing, the name marked by FDT_BEGIN_NODE sometimes extends beyond
>the struct block area, causing a heap-overflow.
>
>Since `maxlen` is an unsigned integer representing the length of name,
>It can be negative, so it overflows to large numbers, Causing strnlen()
>to overflow.
>
>So we can just change the type of maxlen to signed and check if it's a
>non-positive value, because name has a minimum length of 1 byte ('\0').
>
>Also in strnlen() we shouldn't check for bytes exceeding maxlen, so we can remove
>+ 1 in strnlen(). We also change if (len > maxlen) to >= to count for the null
>terminator.
>
>Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx>
>
>---
>v3 -> v4:
>  - replace maxlen < 0 to maxlen <= 0 (Sascha)
>  - remove + 1 in strnlen() (Sascha)
>v2 -> v3
>  - changed formatting
>v1 -> v2
>  - the overflow was due to integer overflow not out-of-bounds (Ahmad)
>---
> drivers/of/fdt.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
>diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>index 2c3ea31394..75af1844f3 100644
>--- a/drivers/of/fdt.c
>+++ b/drivers/of/fdt.c
>@@ -176,7 +176,7 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
> 	void *dt_strings;
> 	struct fdt_header f;
> 	int ret;
>-	unsigned int maxlen;
>+	int maxlen;
> 	const struct fdt_header *fdt = infdt;
> 
> 	ret = fdt_parse_header(infdt, size, &f);
>@@ -210,8 +210,13 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
> 			maxlen = (unsigned long)fdt + f.off_dt_struct +
> 				f.size_dt_struct - (unsigned long)name;
> 
>-			len = strnlen(name, maxlen + 1);
>-			if (len > maxlen) {
>+			if (maxlen <= 0) {
>+				ret = -ESPIPE;
>+				goto err;
>+			}
>+
>+			len = strnlen(name, maxlen);
>+			if (len >= maxlen) {
here len cannot exceed maxlen, but if len == maxlen this means that there is not nul-byte in the name array (up to maxlen).
by not passing maxlen + 1 there is a slight behavior change but i don't know if this an issus or not.
in the previous case strnlen could read one past maxlen which is suspicious (maybe a bug)

> 				ret = -ESPIPE;
> 				goto err;
> 			}