From: David Gibson <david-xT8FGy+AXnRB3Ne2BGzF6laj5H9X9Tb+@public.gmane.org>
To: Tadeusz Struk <tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
Cc: Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
devicetree-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH v3 1/2] libfdt: prevent integer overflow in fdt_next_tag
Date: Thu, 6 Oct 2022 18:52:58 +1100 [thread overview]
Message-ID: <Yz6JWi1AcAuiptup@yekko> (raw)
In-Reply-To: <20221005232931.3016047-1-tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 2454 bytes --]
On Wed, Oct 05, 2022 at 04:29:30PM -0700, Tadeusz Struk wrote:
> Since fdt_next_tag() in a public API function all input parameters,
> including the fdt blob should not be trusted. It is possible to forge
> a blob with invalid property length that will cause integer overflow
> during offset calculation. To prevent that, validate the property length
> read from the blob before doing calculations.
>
> Signed-off-by: Tadeusz Struk <tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
Reviewed-by: David Gibson <david-xT8FGy+AXnRB3Ne2BGzF6laj5H9X9Tb+@public.gmane.org>
> ---
> v2:
> * Use len local variable to avoid multiple calls to fdt32_to_cpu(*lenp)
> * Add can_assume(VALID_DTB) to the new checks
> v3:
> * Use unsigned integer for prop len and offset validation
> ---
> libfdt/fdt.c | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/libfdt/fdt.c b/libfdt/fdt.c
> index 90a39e8..20c6415 100644
> --- a/libfdt/fdt.c
> +++ b/libfdt/fdt.c
> @@ -162,7 +162,7 @@ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
> uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
> {
> const fdt32_t *tagp, *lenp;
> - uint32_t tag;
> + uint32_t tag, len, sum;
> int offset = startoffset;
> const char *p;
>
> @@ -188,12 +188,19 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
> lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
> if (!can_assume(VALID_DTB) && !lenp)
> return FDT_END; /* premature end */
> +
> + len = fdt32_to_cpu(*lenp);
> + sum = len + offset;
> + if (!can_assume(VALID_DTB) &&
> + (INT_MAX <= sum || sum < (uint32_t) offset))
> + return FDT_END; /* premature end */
> +
> /* skip-name offset, length and value */
> - offset += sizeof(struct fdt_property) - FDT_TAGSIZE
> - + fdt32_to_cpu(*lenp);
> + offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len;
> +
> if (!can_assume(LATEST) &&
> - fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
> - ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
> + fdt_version(fdt) < 0x10 && len >= 8 &&
> + ((offset - len) % 8) != 0)
> offset += 4;
> break;
>
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: David Gibson <david@gibson.dropbear.id.au>
To: Tadeusz Struk <tadeusz.struk@linaro.org>
Cc: Rob Herring <robh@kernel.org>,
devicetree@vger.kernel.org, devicetree-compiler@vger.kernel.org
Subject: Re: [PATCH v3 1/2] libfdt: prevent integer overflow in fdt_next_tag
Date: Thu, 6 Oct 2022 18:52:58 +1100 [thread overview]
Message-ID: <Yz6JWi1AcAuiptup@yekko> (raw)
In-Reply-To: <20221005232931.3016047-1-tadeusz.struk@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 2397 bytes --]
On Wed, Oct 05, 2022 at 04:29:30PM -0700, Tadeusz Struk wrote:
> Since fdt_next_tag() in a public API function all input parameters,
> including the fdt blob should not be trusted. It is possible to forge
> a blob with invalid property length that will cause integer overflow
> during offset calculation. To prevent that, validate the property length
> read from the blob before doing calculations.
>
> Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> v2:
> * Use len local variable to avoid multiple calls to fdt32_to_cpu(*lenp)
> * Add can_assume(VALID_DTB) to the new checks
> v3:
> * Use unsigned integer for prop len and offset validation
> ---
> libfdt/fdt.c | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/libfdt/fdt.c b/libfdt/fdt.c
> index 90a39e8..20c6415 100644
> --- a/libfdt/fdt.c
> +++ b/libfdt/fdt.c
> @@ -162,7 +162,7 @@ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
> uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
> {
> const fdt32_t *tagp, *lenp;
> - uint32_t tag;
> + uint32_t tag, len, sum;
> int offset = startoffset;
> const char *p;
>
> @@ -188,12 +188,19 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
> lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
> if (!can_assume(VALID_DTB) && !lenp)
> return FDT_END; /* premature end */
> +
> + len = fdt32_to_cpu(*lenp);
> + sum = len + offset;
> + if (!can_assume(VALID_DTB) &&
> + (INT_MAX <= sum || sum < (uint32_t) offset))
> + return FDT_END; /* premature end */
> +
> /* skip-name offset, length and value */
> - offset += sizeof(struct fdt_property) - FDT_TAGSIZE
> - + fdt32_to_cpu(*lenp);
> + offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len;
> +
> if (!can_assume(LATEST) &&
> - fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
> - ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
> + fdt_version(fdt) < 0x10 && len >= 8 &&
> + ((offset - len) % 8) != 0)
> offset += 4;
> break;
>
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2022-10-06 7:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-05 23:29 [PATCH v3 1/2] libfdt: prevent integer overflow in fdt_next_tag Tadeusz Struk
2022-10-05 23:29 ` Tadeusz Struk
[not found] ` <20221005232931.3016047-1-tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2022-10-05 23:29 ` [PATCH v3 2/2] libfdt: tests: add get_next_tag_invalid_prop_len Tadeusz Struk
2022-10-05 23:29 ` Tadeusz Struk
[not found] ` <20221005232931.3016047-2-tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2022-10-06 8:06 ` David Gibson
2022-10-06 8:06 ` David Gibson
2022-10-06 16:36 ` Tadeusz Struk
2022-10-06 16:36 ` Tadeusz Struk
2022-10-06 7:52 ` David Gibson [this message]
2022-10-06 7:52 ` [PATCH v3 1/2] libfdt: prevent integer overflow in fdt_next_tag David Gibson
2022-10-11 23:51 ` David Gibson
2022-10-11 23:51 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yz6JWi1AcAuiptup@yekko \
--to=david-xt8fgy+axnrb3ne2bgzf6laj5h9x9tb+@public.gmane.org \
--cc=devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=devicetree-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.