From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 318C5C32771 for ; Mon, 26 Sep 2022 11:53:44 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4666C84DBD; Mon, 26 Sep 2022 13:53:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=elijahpepe.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id B146C8499D; Mon, 26 Sep 2022 06:30:10 +0200 (CEST) Received: from sender4-of-o54.zoho.com (sender4-of-o54.zoho.com [136.143.188.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E4C998499D for ; Mon, 26 Sep 2022 06:30:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=elijahpepe.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=business@elijahpepe.com ARC-Seal: i=1; a=rsa-sha256; t=1664166604; cv=none; d=zohomail.com; s=zohoarc; b=mt0ilur6yJ7twpwoJHBA2vNF4F5xVxgp2IFbuIxnluLF1eURmfkKq+kjcFD52U8rolM4ule31yDaBiCHOL2QV1x4+xXqo4iRce34VbSAHP/VYnK27iwRCvkAJ3Vw7Su6IY25+4IY/BXNP7IDhxqvZD2jJVWRqTF84hX0I3kb/GY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1664166604; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=n2iG7O3mNGPrWYHiwXCWRCJjQje0bPei7q/yKzpXlIs=; b=nLK9ribVfHFxMUJ1It07FvedUdb9cwX1DwZdL3eg4Te+Z2V6MGVfFNLlE4jc515Laelmp+NifEni7E5dqHCVtMP1fIB1g+DOMJ+B47thc7Bi9iRweJXoQOkmzAJTPznqUZp70MOwMUfbSbhll6dipBkjnG7WqkZS2+tJnYQ9fws= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=business@elijahpepe.com; dmarc=pass header.from= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1664166602831114.12626987108865; Sun, 25 Sep 2022 21:30:02 -0700 (PDT) Date: Sun, 25 Sep 2022 21:30:02 -0700 From: Elijah Conners To: "u-boot" Cc: "sjg" , "trini" Message-ID: <183780f2842.101060331203165.2781699063163773236@elijahpepe.com> In-Reply-To: Subject: [PATCH] fdt: change splicing offset detection MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Mailman-Approved-At: Mon, 26 Sep 2022 13:53:20 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean In fdt_rw.c, -FDT_ERR_BADOFFSET is returned when either the sum of the old length and the splice point are less than the splice point, or when the sum of the old length and the splice point exceed the end of the pointer. Adding an int and a pointer may result in a pointer overflow, an undefined behavior, which means that the result of this if statement can't be recovered from. Checking if the old length exceeds the end of the pointer minus the pointer is a much safer check. Signed-off-by: Elijah Conners --- scripts/dtc/libfdt/fdt_rw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/dtc/libfdt/fdt_rw.c b/scripts/dtc/libfdt/fdt_rw.c index 2eb2b38703..672b74ae7a 100644 --- a/scripts/dtc/libfdt/fdt_rw.c +++ b/scripts/dtc/libfdt/fdt_rw.c @@ -58,7 +58,7 @@ static int fdt_splice_(void *fdt, void *splicepoint, int oldlen, int newlen) char *p = splicepoint; char *end = (char *)fdt + fdt_data_size_(fdt); - if (((p + oldlen) < p) || ((p + oldlen) > end)) + if (oldlen >= (end - p)) return -FDT_ERR_BADOFFSET; if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt)) return -FDT_ERR_BADOFFSET; -- 2.29.2.windows.2