* [PATCH 2/2] libfdt: tests: add get_next_tag_invalid_prop_len
[not found] ` <20220929235536.618370-1-tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
@ 2022-09-29 23:55 ` Tadeusz Struk
2022-09-30 13:18 ` [PATCH 1/2] libfdt: prevent integer overflow in fdt_next_tag Rob Herring
1 sibling, 0 replies; 3+ messages in thread
From: Tadeusz Struk @ 2022-09-29 23:55 UTC (permalink / raw)
To: David Gibson
Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA,
tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A
Add a new test get_next_tag_invalid_prop_len, which covers
fdt_next_tag() when it is passed a corrupted blob, with
invalid property len values.
Signed-off-by: Tadeusz Struk <tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
tests/.gitignore | 1 +
tests/Makefile.tests | 2 +-
tests/get_next_tag_invalid_prop_len.c | 59 +++++++++++++++++++++++++++
tests/meson.build | 1 +
tests/run_tests.sh | 1 +
5 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 tests/get_next_tag_invalid_prop_len.c
diff --git a/tests/.gitignore b/tests/.gitignore
index 03bdde2..3376ed9 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -74,3 +74,4 @@ tmp.*
/truncated_memrsv
/utilfdt_test
/value-labels
+/get_next_tag_invalid_prop_len
diff --git a/tests/Makefile.tests b/tests/Makefile.tests
index 2d36c5d..2c5b4c9 100644
--- a/tests/Makefile.tests
+++ b/tests/Makefile.tests
@@ -4,7 +4,7 @@ LIB_TESTS_L = get_mem_rsv \
get_path supernode_atdepth_offset parent_offset \
node_offset_by_prop_value node_offset_by_phandle \
node_check_compatible node_offset_by_compatible \
- get_alias \
+ get_alias get_next_tag_invalid_prop_len \
char_literal \
sized_cells \
notfound \
diff --git a/tests/get_next_tag_invalid_prop_len.c b/tests/get_next_tag_invalid_prop_len.c
new file mode 100644
index 0000000..23de8c9
--- /dev/null
+++ b/tests/get_next_tag_invalid_prop_len.c
@@ -0,0 +1,59 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+/*
+ * libfdt - Flat Device Tree manipulation
+ * Testcase for fdt_next_tag()
+ */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <libfdt.h>
+#include "tests.h"
+#include "testdata.h"
+
+int main(int argc, char *argv[])
+{
+ struct fdt_header *hdr;
+ struct fdt_property *prp;
+ void *fdt;
+ int size, nextoff;
+ uint32_t tag;
+
+ test_init(argc, argv);
+ size = sizeof(*hdr) + sizeof(*prp) + 256;
+ fdt = calloc(1, size);
+ if (!fdt)
+ FAIL("Can't allocate memory");
+
+ hdr = fdt;
+ prp = (struct fdt_property *)(((char *) fdt) + sizeof(*hdr));
+ fdt_set_magic(fdt, FDT_MAGIC);
+ fdt_set_totalsize(fdt, size);
+ fdt_set_version(fdt, 0x10);
+ prp->tag = cpu_to_fdt32(FDT_PROP);
+ prp->len = cpu_to_fdt32(256);
+ prp->nameoff = 0;
+
+ tag = fdt_next_tag(fdt, sizeof(*hdr), &nextoff);
+ if (tag != FDT_PROP)
+ FAIL("Invalid tag %X", tag);
+
+ if (nextoff != size)
+ FAIL("Invalid next_offset");
+
+ /* int overflow case */
+ prp->len = cpu_to_fdt32(0xFFFFFFFA);
+ tag = fdt_next_tag(fdt, sizeof(*hdr), &nextoff);
+ if (tag != FDT_END)
+ FAIL("Invalid tag, expected premature end");
+
+ /* negative offset case */
+ prp->len = cpu_to_fdt32(0x7FFFFFFA);
+ tag = fdt_next_tag(fdt, sizeof(*hdr), &nextoff);
+ if (tag != FDT_END)
+ FAIL("Invalid tag, expected premature end");
+
+ free(fdt);
+ PASS();
+}
diff --git a/tests/meson.build b/tests/meson.build
index 4ac154a..29a42dd 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -47,6 +47,7 @@ tests = [
'get_path',
'get_phandle',
'get_prop_offset',
+ 'get_next_tag_invalid_prop_len',
'getprop',
'incbin',
'integer-expressions',
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
index 244df8a..397b9cf 100755
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -346,6 +346,7 @@ tree1_tests () {
run_test get_prop_offset $TREE
run_test get_phandle $TREE
run_test get_path $TREE
+ run_test get_next_tag_invalid_prop_len $TREE #TREE not really needed
run_test supernode_atdepth_offset $TREE
run_test parent_offset $TREE
run_test node_offset_by_prop_value $TREE
--
2.37.3
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH 1/2] libfdt: prevent integer overflow in fdt_next_tag
[not found] ` <20220929235536.618370-1-tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2022-09-29 23:55 ` [PATCH 2/2] libfdt: tests: add get_next_tag_invalid_prop_len Tadeusz Struk
@ 2022-09-30 13:18 ` Rob Herring
1 sibling, 0 replies; 3+ messages in thread
From: Rob Herring @ 2022-09-30 13:18 UTC (permalink / raw)
To: Tadeusz Struk; +Cc: David Gibson, devicetree-compiler-u79uwXL29TY76Z2rM5mHXA
On Thu, Sep 29, 2022 at 6:55 PM Tadeusz Struk <tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> wrote:
>
> Since fdt_next_tag() in a public API function all input parameters,
> including the fdt blob should not be trusted. It is possible to forge
> a blob with invalid property length that will cause integer overflow
> during offset calculation. To prevent that validate the property length
comma: ...that, validate...
> read from the blob before doing calculations.
>
> Signed-off-by: Tadeusz Struk <tadeusz.struk-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
> ---
> libfdt/fdt.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libfdt/fdt.c b/libfdt/fdt.c
> index 90a39e8..c3e112a 100644
> --- a/libfdt/fdt.c
> +++ b/libfdt/fdt.c
> @@ -186,11 +186,17 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
>
> case FDT_PROP:
> lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
> - if (!can_assume(VALID_DTB) && !lenp)
> + if (!can_assume(VALID_DTB) &&
> + (!lenp || (INT_MAX <= fdt32_to_cpu(*lenp))))
We now have fdt32_to_cpu(*lenp) 4 times. Stick it in a local var.
> return FDT_END; /* premature end */
> +
> /* skip-name offset, length and value */
> offset += sizeof(struct fdt_property) - FDT_TAGSIZE
> + fdt32_to_cpu(*lenp);
> +
> + if (offset < 0)
Needs a can_assume(VALID_DTB) check.
> + return FDT_END; /* premature end */
> +
> if (!can_assume(LATEST) &&
> fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
> ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
> --
> 2.37.3
>
^ permalink raw reply [flat|nested] 3+ messages in thread