* [PATCH] drivers: of: fix possible overflow
@ 2024-11-12 12:54 Abdelrahman Youssef
2024-11-12 14:03 ` Ahmad Fatoum
0 siblings, 1 reply; 2+ messages in thread
From: Abdelrahman Youssef @ 2024-11-12 12:54 UTC (permalink / raw)
To: s.hauer; +Cc: barebox, Abdelrahman Youssef
while parsing the fdt header, the name of the begining node marked by
FDT_BEGIN_NODE that is part of the struct block moves out of the block
that results in heap-overflow.
So this patch checks if the length of name (maxlen) + the offset of
the struct block exceeds the size of the whole block.
Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@gmail.com>
---
drivers/of/fdt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 2c3ea31394..7dc8ee2529 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -210,6 +210,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
maxlen = (unsigned long)fdt + f.off_dt_struct +
f.size_dt_struct - (unsigned long)name;
+ if (maxlen + f.off_dt_struct > f.size_dt_struct) {
+ ret = -ESPIPE;
+ goto err;
+ }
+
len = strnlen(name, maxlen + 1);
if (len > maxlen) {
ret = -ESPIPE;
--
2.43.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] drivers: of: fix possible overflow
2024-11-12 12:54 [PATCH] drivers: of: fix possible overflow Abdelrahman Youssef
@ 2024-11-12 14:03 ` Ahmad Fatoum
0 siblings, 0 replies; 2+ messages in thread
From: Ahmad Fatoum @ 2024-11-12 14:03 UTC (permalink / raw)
To: Abdelrahman Youssef, s.hauer; +Cc: barebox
Hello Abdelrahman,
Thanks for your patch.
On 12.11.24 13:54, Abdelrahman Youssef wrote:
> while parsing the fdt header, the name of the begining node marked by
> FDT_BEGIN_NODE that is part of the struct block moves out of the block
> that results in heap-overflow.
>
> So this patch checks if the length of name (maxlen) + the offset of
> the struct block exceeds the size of the whole block.
>
> Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@gmail.com>
> ---
> drivers/of/fdt.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 2c3ea31394..7dc8ee2529 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -210,6 +210,11 @@ static struct device_node *__of_unflatten_dtb(const void *infdt, int size,
> maxlen = (unsigned long)fdt + f.off_dt_struct +
> f.size_dt_struct - (unsigned long)name;
>
> + if (maxlen + f.off_dt_struct > f.size_dt_struct) {
This looks wrong:
- f.off_dt_struct is the offset in bytes of the struct area relative to
the start of the FDT
- f.size_dt_struct is the size of the struct area, i.e. the first byte
after the struct area and it does _not_ include the offset.
It doesn't make sense to subtract the size from the offset.
I have looked into it a little deeper now and I believe the root cause is
an integer overflow; if name _starts_ after the end of the struct area,
the computation for maxlen will result in a negative number and that
negative number would wrap around to a very big positive number.
We should change maxlen to be a (signed) int and return an error if
it becomes negative. Can you verify that fixes the issue and send a patch?
Cheers,
Ahmad
> + ret = -ESPIPE;
> + goto err;
> + }
> +
> len = strnlen(name, maxlen + 1);
> if (len > maxlen) {
> ret = -ESPIPE;
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-11-12 14:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-12 12:54 [PATCH] drivers: of: fix possible overflow Abdelrahman Youssef
2024-11-12 14:03 ` Ahmad Fatoum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox