[PATCH v2] of: fdt: fix overflow caused by fdt_prop extending beyond fdt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



While parsing FDT, fdt_prop sometimes extends beyond FDT resulting in
heap-overflow.

dt_ptr_ok() checks a pointer is within bounds of the FDT, so we can use it
here to fix the issue.

Suggested-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx>
---
 drivers/of/fdt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 75af1844f3..69c041cb89 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -257,6 +257,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
 
 		case FDT_PROP:
 			fdt_prop = infdt + dt_struct;
+			if (!dt_ptr_ok(fdt, fdt_prop)) {
+				ret = -ESPIPE;
+				goto err;
+			}
+
 			len = fdt32_to_cpu(fdt_prop->len);
 			nodep = fdt_prop->data;
 
-- 
2.43.0





[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux