On 19.11.24 19:35, Abdelrahman Youssef wrote:
> While parsing FDT, fdt_prop sometimes extends beyond FDT resulting in
> heap-overflow.
>
> dt_ptr_ok() checks a pointer is within bounds of the FDT, so we can use it
> here to fix the issue.
>
> Suggested-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
> Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx>
> ---
> drivers/of/fdt.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 75af1844f3..a756483578 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -257,6 +257,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
>
> case FDT_PROP:
> fdt_prop = infdt + dt_struct;
> + if (dt_ptr_ok(fdt, fdt_prop)) {
Shouldn't you invert the condition?
Cheers,
Ahmad
> + ret = -ESPIPE;
> + goto err;
> + }
> +
> len = fdt32_to_cpu(fdt_prop->len);
> nodep = fdt_prop->data;
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
