While parsing FDT, fdt_prop sometimes extends beyond FDT resulting in
heap-overflow.
dt_ptr_ok() checks a pointer is within bounds of the FDT, so we can use it
here to fix the issue.
Suggested-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx>
---
drivers/of/fdt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 75af1844f3..a756483578 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -257,6 +257,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
case FDT_PROP:
fdt_prop = infdt + dt_struct;
+ if (dt_ptr_ok(fdt, fdt_prop)) {
+ ret = -ESPIPE;
+ goto err;
+ }
+
len = fdt32_to_cpu(fdt_prop->len);
nodep = fdt_prop->data;
--
2.43.0
