Changeset 80eaf45 in rtems


Ignore:
Timestamp:
07/09/18 04:50:38 (5 years ago)
Author:
David Gibson <david@…>
Branches:
5, master
Children:
2af004e
Parents:
4fd05d3
git-author:
David Gibson <david@…> (07/09/18 04:50:38)
git-committer:
Sebastian Huber <sebastian.huber@…> (07/19/18 05:01:12)
Message:

libfdt: Add necessary header padding in fdt_create()

At present fdt_create() will succeed if there is exactly enough space to
put in the fdt header. However, it sets the off_mem_rsvmap field, a few
bytes past that in order to align the memory reservation block.

Having block pointers pointing past the end of the fdt is pretty ugly, even
if it is just a transient state. Worse, if fdt_resize() is called at
exactly the wrong time, it can end up accessing data past the blob's
allocated space because of this.

So, correct fdt_create() to ensure that there is sufficient space for the
alignment padding as well as the plain header. For paranoia, also add a
check in fdt_resize() to make sure we don't copy data from outside the
blob's bounds.

Signed-off-by: David Gibson <david@…>

File:
1 edited

Legend:

Unmodified
Added
Removed

  • cpukit/dtc/libfdt/fdt_sw.c

    r4fd05d3 r80eaf45  
    144144int fdt_create(void *buf, int bufsize)
    145145{
     146        const size_t hdrsize = FDT_ALIGN(sizeof(struct fdt_header),
     147                                         sizeof(struct fdt_reserve_entry));
    146148        void *fdt = buf;
    147149
    148         if (bufsize < sizeof(struct fdt_header))
     150        if (bufsize < hdrsize)
    149151                return -FDT_ERR_NOSPACE;
    150152
     
    156158        fdt_set_totalsize(fdt,  bufsize);
    157159
    158         fdt_set_off_mem_rsvmap(fdt, FDT_ALIGN(sizeof(struct fdt_header),
    159                                               sizeof(struct fdt_reserve_entry)));
     160        fdt_set_off_mem_rsvmap(fdt, hdrsize);
    160161        fdt_set_off_dt_struct(fdt, fdt_off_mem_rsvmap(fdt));
    161162        fdt_set_off_dt_strings(fdt, 0);
     
    173174        headsize = fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt);
    174175        tailsize = fdt_size_dt_strings(fdt);
     176
     177        if ((headsize + tailsize) > fdt_totalsize(fdt))
     178                return -FDT_ERR_INTERNAL;
    175179
    176180        if ((headsize + tailsize) > bufsize)
Note: See TracChangeset for help on using the changeset viewer.