From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Abdelrahman Youssef <abdelrahmanyossef12@gmail.com>,
s.hauer@pengutronix.de
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH] drivers: of: fix possible overflow
Date: Tue, 12 Nov 2024 15:03:27 +0100 [thread overview]
Message-ID: <9b217c79-1575-443c-a733-1aa9b0de53e8@pengutronix.de> (raw)
In-Reply-To: <20241112125452.333653-1-abdelrahmanyossef12@gmail.com>
Hello Abdelrahman,
Thanks for your patch.
On 12.11.24 13:54, Abdelrahman Youssef wrote:
> while parsing the fdt header, the name of the begining node marked by
> FDT_BEGIN_NODE that is part of the struct block moves out of the block
> that results in heap-overflow.
>
> So this patch checks if the length of name (maxlen) + the offset of
> the struct block exceeds the size of the whole block.
>
> Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@gmail.com>
> ---
> drivers/of/fdt.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 2c3ea31394..7dc8ee2529 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -210,6 +210,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
> maxlen = (unsigned long)fdt + f.off_dt_struct +
> f.size_dt_struct - (unsigned long)name;
>
> + if (maxlen + f.off_dt_struct > f.size_dt_struct) {
This looks wrong:
- f.off_dt_struct is the offset in bytes of the struct area relative to
the start of the FDT
- f.size_dt_struct is the size of the struct area, i.e. the first byte
after the struct area and it does _not_ include the offset.
It doesn't make sense to subtract the size from the offset.
I have looked into it a little deeper now and I believe the root cause is
an integer overflow; if name _starts_ after the end of the struct area,
the computation for maxlen will result in a negative number and that
negative number would wrap around to a very big positive number.
We should change maxlen to be a (signed) int and return an error if
it becomes negative. Can you verify that fixes the issue and send a patch?
Cheers,
Ahmad
> + ret = -ESPIPE;
> + goto err;
> + }
> +
> len = strnlen(name, maxlen + 1);
> if (len > maxlen) {
> ret = -ESPIPE;
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
prev parent reply other threads:[~2024-11-12 14:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-12 12:54 Abdelrahman Youssef
2024-11-12 14:03 ` Ahmad Fatoum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b217c79-1575-443c-a733-1aa9b0de53e8@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=abdelrahmanyossef12@gmail.com \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox