From: David Gibson <david-xT8FGy+AXnRB3Ne2BGzF6laj5H9X9Tb+@public.gmane.org>
To: patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] libfdt: fix fdt_check_full buffer overrun
Date: Fri, 10 Jul 2020 19:55:46 +1000 [thread overview]
Message-ID: <20200710095546.GA2666@umbus.fritz.box> (raw)
In-Reply-To: <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 1349 bytes --]
On Thu, Jul 09, 2020 at 02:14:51PM +1000, patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
> From: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
> fdt_check_header assumes that its argument points to a complete header
> and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
> can provide.
>
> fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
> available and will return a usable value even for a corrupted header.
>
> Signed-off-by: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Applied, thanks.
> ---
> libfdt/fdt_check.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
> index 7f6a96c..9ddfdbf 100644
> --- a/libfdt/fdt_check.c
> +++ b/libfdt/fdt_check.c
> @@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
>
> if (bufsize < FDT_V1_SIZE)
> return -FDT_ERR_TRUNCATED;
> + if (bufsize < fdt_header_size(fdt))
> + return -FDT_ERR_TRUNCATED;
> err = fdt_check_header(fdt);
> if (err != 0)
> return err;
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2020-07-10 9:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 4:14 [PATCH] libfdt: fix fdt_check_full buffer overrun patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w
[not found] ` <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2020-07-10 9:55 ` David Gibson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200710095546.GA2666@umbus.fritz.box \
--to=david-xt8fgy+axnrb3ne2bgzf6laj5h9x9tb+@public.gmane.org \
--cc=devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).