From 8d21690fa82bbc29cc34005103a2eda63eafabf3 Mon Sep 17 00:00:00 2001 From: Sascha Hauer Date: Thu, 24 Jun 2021 10:52:08 +0200 Subject: fdt: Check blob size during unflattening of_unflatten_dtb() doesn't check the size of the device tree blob passed to it. Add a size argument end add checks for the size. Some callers have no idea of the buffer size themselves, INT_MAX is passed in these cases. Signed-off-by: Sascha Hauer Link: https://lore.barebox.org/20210624085223.14616-4-s.hauer@pengutronix.de Signed-off-by: Sascha Hauer --- common/blspec.c | 7 ++++--- common/bootm.c | 4 ++-- common/efi/efi.c | 2 +- common/image-fit.c | 2 +- common/state/backend_format_dtb.c | 2 +- 5 files changed, 9 insertions(+), 8 deletions(-) (limited to 'common') diff --git a/common/blspec.c b/common/blspec.c index ad80d7a8cd..056c0dbf7f 100644 --- a/common/blspec.c +++ b/common/blspec.c @@ -40,17 +40,18 @@ static int blspec_apply_oftree_overlay(char *file, const char *abspath, struct device_node *overlay; char *path; char *firmware_path; + size_t size; path = basprintf("%s/%s", abspath, file); - fdt = read_file(path, NULL); + fdt = read_file(path, &size); if (!fdt) { pr_warn("unable to read \"%s\"\n", path); ret = -EINVAL; goto out; } - overlay = of_unflatten_dtb(fdt); + overlay = of_unflatten_dtb(fdt, size); free(fdt); if (IS_ERR(overlay)) { ret = PTR_ERR(overlay); @@ -490,7 +491,7 @@ static bool entry_is_of_compatible(struct blspec_entry *entry) goto out; } - root = of_unflatten_dtb(fdt); + root = of_unflatten_dtb(fdt, size); if (IS_ERR(root)) { ret = false; root = NULL; diff --git a/common/bootm.c b/common/bootm.c index 644443a021..89e3e93f2c 100644 --- a/common/bootm.c +++ b/common/bootm.c @@ -361,7 +361,7 @@ void *bootm_get_devicetree(struct image_data *data) if (ret) return ERR_PTR(ret); - data->of_root_node = of_unflatten_dtb(of_tree); + data->of_root_node = of_unflatten_dtb(of_tree, of_size); } else if (data->oftree_file) { size_t size; @@ -389,7 +389,7 @@ void *bootm_get_devicetree(struct image_data *data) if (ret) return ERR_PTR(ret); - data->of_root_node = of_unflatten_dtb(oftree); + data->of_root_node = of_unflatten_dtb(oftree, size); free(oftree); diff --git a/common/efi/efi.c b/common/efi/efi.c index 01003dc00f..7f12342cf9 100644 --- a/common/efi/efi.c +++ b/common/efi/efi.c @@ -437,7 +437,7 @@ static int efi_late_init(void) return -EINVAL; } - root = of_unflatten_dtb(fdt); + root = of_unflatten_dtb(fdt, size); free(fdt); diff --git a/common/image-fit.c b/common/image-fit.c index 2c5ef7f687..c1a34a4405 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -754,7 +754,7 @@ static int fit_do_open(struct fit_handle *handle) const char *desc = "(no description)"; struct device_node *root; - root = of_unflatten_dtb_const(handle->fit); + root = of_unflatten_dtb_const(handle->fit, handle->size); if (IS_ERR(root)) return PTR_ERR(root); diff --git a/common/state/backend_format_dtb.c b/common/state/backend_format_dtb.c index 48f30db1f5..d0fc948859 100644 --- a/common/state/backend_format_dtb.c +++ b/common/state/backend_format_dtb.c @@ -59,7 +59,7 @@ static int state_backend_format_dtb_verify(struct state_backend_format *format, fdtb->root = NULL; } - root = of_unflatten_dtb(buf); + root = of_unflatten_dtb(buf, dtb_len); if (IS_ERR(root)) { dev_err(fdtb->dev, "Failed to unflatten dtb from buffer with length %zd, %ld\n", len, PTR_ERR(root)); -- cgit v1.2.3