[PATCH] libdft: fdt_next_tag: Harden offset overflow check

devicetree-compiler.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Pierre-Clément Tosi" <ptosi@google.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: devicetree-compiler@vger.kernel.org,
	"Pierre-Clément Tosi" <ptosi@google.com>
Subject: [PATCH] libdft: fdt_next_tag: Harden offset overflow check
Date: Wed, 11 Oct 2023 18:24:27 +0100	[thread overview]
Message-ID: <20231011172427.g4tlsew3wsjtddil@google.com> (raw)

As 'offset' is obtained through various paths within the function by
adding user-provided values to 'startoffset' and as we validate its
final value by substracting it from the initial one, there is a risk
that one of the paths might have lead to an overflow, making the check
validate a "negative" (wrong) length, potentially causing fdt_next_tag()
to report an invalid offset as valid through 'nextoffset'.

For example, when parsing an FDT_PROP, we currently validate that

    offset = startoffset + len + FDT_TAGSIZE

doesn't overflow but then assign

    offset = startoffset + len + sizeof(struct fdt_property)

so harden all paths by validating the offset in the very last check.

Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
---
 libfdt/fdt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index 20c6415..dda342d 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -213,7 +213,8 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
 		return FDT_END;
 	}
 
-	if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
+	if (!can_assume(VALID_DTB) && (offset <= startoffset
+	    || !fdt_offset_ptr(fdt, startoffset, offset - startoffset)))
 		return FDT_END; /* premature end */
 
 	*nextoffset = FDT_TAGALIGN(offset);
-- 
2.42.0.609.gbb76f46606-goog


-- 
Pierre

next             reply	other threads:[~2023-10-11 17:24 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-11 17:24 Pierre-Clément Tosi [this message]
2023-10-12  4:23 ` [PATCH] libdft: fdt_next_tag: Harden offset overflow check David Gibson

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:20c6415 dfblob:dda342d
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231011172427.g4tlsew3wsjtddil@google.com \
    --to=ptosi@google.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=devicetree-compiler@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).