[PATCH] of: fdt: fix overflow caused by fdt_prop extending beyond fdt

Abdelrahman Youssef abdelrahmanyossef12 at gmail.com
Tue Nov 19 10:35:30 PST 2024


While parsing FDT, fdt_prop sometimes extends beyond FDT resulting in
heap-overflow.

dt_ptr_ok() checks a pointer is within bounds of the FDT, so we can use it
here to fix the issue.

Suggested-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12 at gmail.com>
---
 drivers/of/fdt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 75af1844f3..a756483578 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -257,6 +257,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
 
 		case FDT_PROP:
 			fdt_prop = infdt + dt_struct;
+			if (dt_ptr_ok(fdt, fdt_prop)) {
+				ret = -ESPIPE;
+				goto err;
+			}
+
 			len = fdt32_to_cpu(fdt_prop->len);
 			nodep = fdt_prop->data;
 
-- 
2.43.0




More information about the barebox mailing list