Changeset c81f432 in rtems for cpukit/dtc


Ignore:
Timestamp:
Mar 9, 2018, 12:28:56 PM (20 months ago)
Author:
David Gibson <david@…>
Branches:
master
Children:
9a7de8e
Parents:
6bc883b
git-author:
David Gibson <david@…> (03/09/18 12:28:56)
git-committer:
Sebastian Huber <sebastian.huber@…> (07/19/18 05:01:12)
Message:

libfdt: Safer access to memory reservations

fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their
parameters, or the memory reserve section offset in the header. That means
that on a corrupted blob they could access outside of the range of memory
that they should.

This improves their safety checking, meaning they shouldn't access outside
the blob's bounds, even if its contents are badly corrupted.

Signed-off-by: David Gibson <david@…>
Tested-by: Alexey Kardashevskiy <aik@…>
Reviewed-by: Alexey Kardashevskiy <aik@…>
Reviewed-by: Simon Glass <sjg@…>

File:
1 edited

Legend:

Unmodified
Added
Removed
  • cpukit/dtc/libfdt/fdt_ro.c

    r6bc883b rc81f432  
    171171}
    172172
     173static const struct fdt_reserve_entry *fdt_mem_rsv(const void *fdt, int n)
     174{
     175        int offset = n * sizeof(struct fdt_reserve_entry);
     176        int absoffset = fdt_off_mem_rsvmap(fdt) + offset;
     177
     178        if (absoffset < fdt_off_mem_rsvmap(fdt))
     179                return NULL;
     180        if (absoffset > fdt_totalsize(fdt) - sizeof(struct fdt_reserve_entry))
     181                return NULL;
     182        return fdt_mem_rsv_(fdt, n);
     183}
     184
    173185int fdt_get_mem_rsv(const void *fdt, int n, uint64_t *address, uint64_t *size)
    174186{
     187        const struct fdt_reserve_entry *re;
     188
    175189        FDT_RO_PROBE(fdt);
    176         *address = fdt64_to_cpu(fdt_mem_rsv_(fdt, n)->address);
    177         *size = fdt64_to_cpu(fdt_mem_rsv_(fdt, n)->size);
     190        re = fdt_mem_rsv(fdt, n);
     191        if (!re)
     192                return -FDT_ERR_BADOFFSET;
     193
     194        *address = fdt64_to_cpu(re->address);
     195        *size = fdt64_to_cpu(re->size);
    178196        return 0;
    179197}
     
    181199int fdt_num_mem_rsv(const void *fdt)
    182200{
    183         int i = 0;
    184 
    185         while (fdt64_to_cpu(fdt_mem_rsv_(fdt, i)->size) != 0)
    186                 i++;
    187         return i;
     201        int i;
     202        const struct fdt_reserve_entry *re;
     203
     204        for (i = 0; (re = fdt_mem_rsv(fdt, i)) != NULL; i++) {
     205                if (fdt64_to_cpu(re->size) == 0)
     206                        return i;
     207        }
     208        return -FDT_ERR_TRUNCATED;
    188209}
    189210
Note: See TracChangeset for help on using the changeset viewer.