[PATCH] libfdt: fix fdt_check_full buffer overrun

[PATCH] libfdt: fix fdt_check_full buffer overrun

[patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w]

From: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

fdt_check_header assumes that its argument points to a complete header
and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
can provide.

fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
available and will return a usable value even for a corrupted header.

Signed-off-by: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 libfdt/fdt_check.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
index 7f6a96c..9ddfdbf 100644
--- a/libfdt/fdt_check.c
+++ b/libfdt/fdt_check.c
@@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
 
 	if (bufsize < FDT_V1_SIZE)
 		return -FDT_ERR_TRUNCATED;
+	if (bufsize < fdt_header_size(fdt))
+		return -FDT_ERR_TRUNCATED;
 	err = fdt_check_header(fdt);
 	if (err != 0)
 		return err;
-- 
2.27.0

Re: [PATCH] libfdt: fix fdt_check_full buffer overrun

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 1349 bytes --]

On Thu, Jul 09, 2020 at 02:14:51PM +1000, patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
> From: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> 
> fdt_check_header assumes that its argument points to a complete header
> and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
> can provide.
> 
> fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
> available and will return a usable value even for a corrupted header.
> 
> Signed-off-by: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

Applied, thanks.

> ---
>  libfdt/fdt_check.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
> index 7f6a96c..9ddfdbf 100644
> --- a/libfdt/fdt_check.c
> +++ b/libfdt/fdt_check.c
> @@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
>  
>  	if (bufsize < FDT_V1_SIZE)
>  		return -FDT_ERR_TRUNCATED;
> +	if (bufsize < fdt_header_size(fdt))
> +		return -FDT_ERR_TRUNCATED;
>  	err = fdt_check_header(fdt);
>  	if (err != 0)
>  		return err;

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]