diff options
author | Simon Glass <sjg@chromium.org> | 2021-02-15 17:08:05 -0700 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2021-02-15 19:17:18 -0500 |
commit | 8a7d4cf9820ea16fabd25a6379351b4dc291204b (patch) | |
tree | 4e415095b42ce8fd845767e1326d27e7cdbc66e8 | |
parent | 6144438fb5c9059dc87cf219bed0c992f70b3509 (diff) | |
download | u-boot-8a7d4cf9820ea16fabd25a6379351b4dc291204b.tar.gz |
fdt_region: Check for a single root node of the correct name
At present fdt_find_regions() assumes that the FIT is a valid devicetree.
If the FIT has two root nodes this is currently not detected in this
function, nor does libfdt's fdt_check_full() notice. Also it is possible
for the root node to have a name even though it should not.
Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
detected.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
-rw-r--r-- | common/fdt_region.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/common/fdt_region.c b/common/fdt_region.c index ff12c518e9..e4ef0ca770 100644 --- a/common/fdt_region.c +++ b/common/fdt_region.c @@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, int depth = -1; int want = 0; int base = fdt_off_dt_struct(fdt); + bool expect_end = false; end = path; *end = '\0'; @@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, tag = fdt_next_tag(fdt, offset, &nextoffset); stop_at = nextoffset; + /* If we see two root nodes, something is wrong */ + if (expect_end && tag != FDT_END) + return -FDT_ERR_BADLAYOUT; + switch (tag) { case FDT_PROP: include = want >= 2; @@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, if (depth == FDT_MAX_DEPTH) return -FDT_ERR_BADSTRUCTURE; name = fdt_get_name(fdt, offset, &len); + + /* The root node must have an empty name */ + if (!depth && *name) + return -FDT_ERR_BADLAYOUT; if (end - path + 2 + len >= path_len) return -FDT_ERR_NOSPACE; if (end != path + 1) @@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, while (end > path && *--end != '/') ; *end = '\0'; + if (depth == -1) + expect_end = true; break; case FDT_END: |