Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3088f584 authored by Vijay Kumar Pendoti's avatar Vijay Kumar Pendoti Committed by Gerrit - the friendly Code Review server
Browse files

dtc: add integer overflow checks in fdt header 



Protect against integer overflows caused by malformed fdt headers.

CRs-Fixed: 749977
Change-Id: I51d87038f520bc761b163d291b0138c513c69a33
Signed-off-by: default avatarVijay Kumar Pendoti <vpendo@codeaurora.org>
Signed-off-by: default avatarRishabh Bhatnagar <rishabhb@codeaurora.org>
parent 48c8494b

include/linux/libfdt_env.h

+1 −0
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 
#ifndef LIBFDT_ENV_H

#define LIBFDT_ENV_H



#include <linux/kernel.h>

#include <linux/string.h>



#include <asm/byteorder.h>

scripts/dtc/libfdt/fdt.c

+14 −0
Original line number Diff line number Diff line
@@ -71,6 +71,20 @@ int fdt_check_header(const void *fdt) 
		return -FDT_ERR_BADMAGIC;

	}



	if (fdt_off_dt_struct(fdt) > (UINT_MAX - fdt_size_dt_struct(fdt)))

		return FDT_ERR_BADOFFSET;



	if (fdt_off_dt_strings(fdt) > (UINT_MAX -  fdt_size_dt_strings(fdt)))

		return FDT_ERR_BADOFFSET;



	if ((fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt))

	    > fdt_totalsize(fdt))

		return FDT_ERR_BADOFFSET;



	if ((fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt))

	    > fdt_totalsize(fdt))

		return FDT_ERR_BADOFFSET;



	return 0;

}

scripts/dtc/libfdt/fdt_rw.c

+1 −1
Original line number Diff line number Diff line
@@ -407,7 +407,7 @@ int fdt_del_node(void *fdt, int nodeoffset) 
static void fdt_packblocks_(const char *old, char *new,

			    int mem_rsv_size, int struct_size)

{

	int mem_rsv_off, struct_off, strings_off;

	uint32_t mem_rsv_off, struct_off, strings_off;



	mem_rsv_off = FDT_ALIGN(sizeof(struct fdt_header), 8);

	struct_off = mem_rsv_off + mem_rsv_size;