* [PATCH] libfdt: fix fdt_check_full buffer overrun
@ 2020-07-09 4:14 patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w
[not found] ` <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w @ 2020-07-09 4:14 UTC (permalink / raw)
To: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA; +Cc: Patrick Oppenlander
From: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
fdt_check_header assumes that its argument points to a complete header
and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
can provide.
fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
available and will return a usable value even for a corrupted header.
Signed-off-by: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
libfdt/fdt_check.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
index 7f6a96c..9ddfdbf 100644
--- a/libfdt/fdt_check.c
+++ b/libfdt/fdt_check.c
@@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
if (bufsize < FDT_V1_SIZE)
return -FDT_ERR_TRUNCATED;
+ if (bufsize < fdt_header_size(fdt))
+ return -FDT_ERR_TRUNCATED;
err = fdt_check_header(fdt);
if (err != 0)
return err;
--
2.27.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] libfdt: fix fdt_check_full buffer overrun
[not found] ` <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2020-07-10 9:55 ` David Gibson
0 siblings, 0 replies; 2+ messages in thread
From: David Gibson @ 2020-07-10 9:55 UTC (permalink / raw)
To: patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w
Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 1349 bytes --]
On Thu, Jul 09, 2020 at 02:14:51PM +1000, patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
> From: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
> fdt_check_header assumes that its argument points to a complete header
> and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
> can provide.
>
> fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
> available and will return a usable value even for a corrupted header.
>
> Signed-off-by: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Applied, thanks.
> ---
> libfdt/fdt_check.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
> index 7f6a96c..9ddfdbf 100644
> --- a/libfdt/fdt_check.c
> +++ b/libfdt/fdt_check.c
> @@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
>
> if (bufsize < FDT_V1_SIZE)
> return -FDT_ERR_TRUNCATED;
> + if (bufsize < fdt_header_size(fdt))
> + return -FDT_ERR_TRUNCATED;
> err = fdt_check_header(fdt);
> if (err != 0)
> return err;
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-10 9:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-09 4:14 [PATCH] libfdt: fix fdt_check_full buffer overrun patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w
[not found] ` <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2020-07-10 9:55 ` David Gibson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.