Browse Source

libfdt: prevent integer overflow in fdt_next_tag

Since fdt_next_tag() in a public API function all input parameters,
including the fdt blob should not be trusted. It is possible to forge
a blob with invalid property length that will cause integer overflow
during offset calculation. To prevent that, validate the property length
read from the blob before doing calculations.

Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Message-Id: <20221005232931.3016047-1-tadeusz.struk@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
main
Tadeusz Struk 2 years ago committed by David Gibson
parent
commit
73590342fc
  1. 17
      libfdt/fdt.c

17
libfdt/fdt.c

@ -162,7 +162,7 @@ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
{ {
const fdt32_t *tagp, *lenp; const fdt32_t *tagp, *lenp;
uint32_t tag; uint32_t tag, len, sum;
int offset = startoffset; int offset = startoffset;
const char *p; const char *p;


@ -188,12 +188,19 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
if (!can_assume(VALID_DTB) && !lenp) if (!can_assume(VALID_DTB) && !lenp)
return FDT_END; /* premature end */ return FDT_END; /* premature end */

len = fdt32_to_cpu(*lenp);
sum = len + offset;
if (!can_assume(VALID_DTB) &&
(INT_MAX <= sum || sum < (uint32_t) offset))
return FDT_END; /* premature end */

/* skip-name offset, length and value */ /* skip-name offset, length and value */
offset += sizeof(struct fdt_property) - FDT_TAGSIZE offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len;
+ fdt32_to_cpu(*lenp);
if (!can_assume(LATEST) && if (!can_assume(LATEST) &&
fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 && fdt_version(fdt) < 0x10 && len >= 8 &&
((offset - fdt32_to_cpu(*lenp)) % 8) != 0) ((offset - len) % 8) != 0)
offset += 4; offset += 4;
break; break;



Loading…
Cancel
Save