* [PATCH] fdt: change splicing offset detection
@ 2022-09-26 4:30 Elijah Conners
2022-10-22 1:06 ` Simon Glass
0 siblings, 1 reply; 2+ messages in thread
From: Elijah Conners @ 2022-09-26 4:30 UTC (permalink / raw)
To: u-boot; +Cc: sjg, trini
In fdt_rw.c, -FDT_ERR_BADOFFSET is returned when either the sum of the
old
length and the splice point are less than the splice point, or when the
sum of the old length and the splice point exceed the end of the
pointer.
Adding an int and a pointer may result in a pointer overflow, an
undefined behavior, which means that the result of this if statement
can't be recovered from. Checking if the old length exceeds the end of
the pointer minus the pointer is a much safer check.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
---
scripts/dtc/libfdt/fdt_rw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/dtc/libfdt/fdt_rw.c b/scripts/dtc/libfdt/fdt_rw.c
index 2eb2b38703..672b74ae7a 100644
--- a/scripts/dtc/libfdt/fdt_rw.c
+++ b/scripts/dtc/libfdt/fdt_rw.c
@@ -58,7 +58,7 @@ static int fdt_splice_(void *fdt, void *splicepoint, int oldlen, int newlen)
char *p = splicepoint;
char *end = (char *)fdt + fdt_data_size_(fdt);
- if (((p + oldlen) < p) || ((p + oldlen) > end))
+ if (oldlen >= (end - p))
return -FDT_ERR_BADOFFSET;
if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
return -FDT_ERR_BADOFFSET;
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] fdt: change splicing offset detection
2022-09-26 4:30 [PATCH] fdt: change splicing offset detection Elijah Conners
@ 2022-10-22 1:06 ` Simon Glass
0 siblings, 0 replies; 2+ messages in thread
From: Simon Glass @ 2022-10-22 1:06 UTC (permalink / raw)
To: Elijah Conners; +Cc: u-boot, trini
Hi Elijah,
On Sun, 25 Sept 2022 at 22:30, Elijah Conners <business@elijahpepe.com> wrote:
>
> In fdt_rw.c, -FDT_ERR_BADOFFSET is returned when either the sum of the
> old
> length and the splice point are less than the splice point, or when the
> sum of the old length and the splice point exceed the end of the
> pointer.
> Adding an int and a pointer may result in a pointer overflow, an
> undefined behavior, which means that the result of this if statement
> can't be recovered from. Checking if the old length exceeds the end of
> the pointer minus the pointer is a much safer check.
>
> Signed-off-by: Elijah Conners <business@elijahpepe.com>
> ---
> scripts/dtc/libfdt/fdt_rw.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/scripts/dtc/libfdt/fdt_rw.c b/scripts/dtc/libfdt/fdt_rw.c
> index 2eb2b38703..672b74ae7a 100644
> --- a/scripts/dtc/libfdt/fdt_rw.c
> +++ b/scripts/dtc/libfdt/fdt_rw.c
> @@ -58,7 +58,7 @@ static int fdt_splice_(void *fdt, void *splicepoint, int oldlen, int newlen)
> char *p = splicepoint;
> char *end = (char *)fdt + fdt_data_size_(fdt);
>
> - if (((p + oldlen) < p) || ((p + oldlen) > end))
> + if (oldlen >= (end - p))
> return -FDT_ERR_BADOFFSET;
> if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
> return -FDT_ERR_BADOFFSET;
> --
> 2.29.2.windows.2
Granted this function is not documented but I don't think the new
check is correct. I did not know that pointer overflow was undefined,
but perhaps there is another way to solve this? This breaks CI.
I suggest sending this to the devicetreee-compiler mailing list and
resolving it there first.
Regards,
Simon
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-10-22 1:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-26 4:30 [PATCH] fdt: change splicing offset detection Elijah Conners
2022-10-22 1:06 ` Simon Glass
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.