diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2017-10-23 06:45:56 +0300 |
|---|---|---|
| committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-07-19 07:01:11 +0200 |
| commit | 8073f95ef56a7c6dce04c04a12330b6c2839e23c (patch) | |
| tree | 43d49cae0d12750281feb4c88dca9596b92df46c /cpukit/dtc | |
| parent | libfdt: Improve sequential write state checking (diff) | |
| download | rtems-8073f95ef56a7c6dce04c04a12330b6c2839e23c.tar.bz2 | |
libfdt: Make fdt_check_header() more thorough
Currently fdt_check_header() performs only some rudimentary checks, which
is not really what the name suggests. This strengthens fdt_check_header()
to check as much about the blob as is possible from the header alone: as
well as checking the magic number and version, it checks that the total
size is sane, and that all the sub-blocks within the blob lie within the
total size.
* This broadens the meaning of FDT_ERR_TRUNCATED to cover all sorts of
improperly terminated blocks as well as just a structure block without
FDT_END.
* This makes fdt_check_header() only succeed on "complete" blobs, not
in-progress sequential write blobs. The only reason this didn't fail
before was that this function used to be called by many RO functions
which are supposed to also work on incomplete SW blobs.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'cpukit/dtc')
| -rw-r--r-- | cpukit/dtc/libfdt/fdt.c | 57 |
1 files changed, 56 insertions, 1 deletions
diff --git a/cpukit/dtc/libfdt/fdt.c b/cpukit/dtc/libfdt/fdt.c index 8bbf2dc894..5f1e57a5bd 100644 --- a/cpukit/dtc/libfdt/fdt.c +++ b/cpukit/dtc/libfdt/fdt.c @@ -79,9 +79,64 @@ int fdt_ro_probe_(const void *fdt) return 0; } +static int check_off_(uint32_t hdrsize, uint32_t totalsize, uint32_t off) +{ + return (off >= hdrsize) && (off <= totalsize); +} + +static int check_block_(uint32_t hdrsize, uint32_t totalsize, + uint32_t base, uint32_t size) +{ + if (!check_off_(hdrsize, totalsize, base)) + return 0; /* block start out of bounds */ + if ((base + size) < base) + return 0; /* overflow */ + if (!check_off_(hdrsize, totalsize, base + size)) + return 0; /* block end out of bounds */ + return 1; +} + int fdt_check_header(const void *fdt) { - return fdt_ro_probe_(fdt); + size_t hdrsize = FDT_V16_SIZE; + + if (fdt_magic(fdt) != FDT_MAGIC) + return -FDT_ERR_BADMAGIC; + if ((fdt_version(fdt) < FDT_FIRST_SUPPORTED_VERSION) + || (fdt_last_comp_version(fdt) > FDT_LAST_SUPPORTED_VERSION)) + return -FDT_ERR_BADVERSION; + if (fdt_version(fdt) < fdt_last_comp_version(fdt)) + return -FDT_ERR_BADVERSION; + + if (fdt_version(fdt) >= 17) + hdrsize = FDT_V17_SIZE; + + if ((fdt_totalsize(fdt) < hdrsize) + || (fdt_totalsize(fdt) > INT_MAX)) + return -FDT_ERR_TRUNCATED; + + /* Bounds check memrsv block */ + if (!check_off_(hdrsize, fdt_totalsize(fdt), fdt_off_mem_rsvmap(fdt))) + return -FDT_ERR_TRUNCATED; + + /* Bounds check structure block */ + if (fdt_version(fdt) < 17) { + if (!check_off_(hdrsize, fdt_totalsize(fdt), + fdt_off_dt_struct(fdt))) + return -FDT_ERR_TRUNCATED; + } else { + if (!check_block_(hdrsize, fdt_totalsize(fdt), + fdt_off_dt_struct(fdt), + fdt_size_dt_struct(fdt))) + return -FDT_ERR_TRUNCATED; + } + + /* Bounds check strings block */ + if (!check_block_(hdrsize, fdt_totalsize(fdt), + fdt_off_dt_strings(fdt), fdt_size_dt_strings(fdt))) + return -FDT_ERR_TRUNCATED; + + return 0; } const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len) |