* [PATCH] powerpc/boot: validate compatible entries before comparing them
@ 2026-04-03 8:56 Pengpeng Hou
0 siblings, 0 replies; only message in thread
From: Pengpeng Hou @ 2026-04-03 8:56 UTC (permalink / raw)
To: Madhavan Srinivasan, Michael Ellerman
Cc: Nicholas Piggin, Christophe Leroy (CS GROUP), linuxppc-dev,
linux-kernel, pengpeng
`dt_is_compatible()` reads a raw `"compatible"` property into `prop_buf`
and then immediately calls `strcmp(buf + pos, compat)` on each string-list
entry.
If the current entry is not NUL-terminated within the returned property
length, `strcmp()` reads past the end of the local buffer before the
following `strnlen()` has any chance to reject the malformed property.
Validate the current entry with `strnlen()` first and only compare
bounded, terminated compatible strings.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
arch/powerpc/boot/devtree.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/boot/devtree.c b/arch/powerpc/boot/devtree.c
index 58fbcfcc98c9..d93822f61831 100644
--- a/arch/powerpc/boot/devtree.c
+++ b/arch/powerpc/boot/devtree.c
@@ -343,11 +343,16 @@ int dt_is_compatible(void *node, const char *compat)
if (len < 0)
return 0;
- for (pos = 0; pos < len; pos++) {
+ for (pos = 0; pos < len; ) {
+ int entry_len = strnlen(&buf[pos], len - pos);
+
+ if (entry_len == len - pos)
+ return 0;
+
if (!strcmp(buf + pos, compat))
return 1;
- pos += strnlen(&buf[pos], len - pos);
+ pos += entry_len + 1;
}
return 0;
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-04-04 8:51 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-03 8:56 [PATCH] powerpc/boot: validate compatible entries before comparing them Pengpeng Hou
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox