From 1a5c324480167b9eca9398a10d95d85a74fcb941 Mon Sep 17 00:00:00 2001 From: David Gibson Date: Fri, 5 Jul 2019 13:42:40 +1000 Subject: libfdt: Tweak data handling to satisfy Coverity In libfdt we often sanity test fdt_totalsize(fdt) fairly early, then trust it (but *only* that header field) for the remainder of our work. However, Coverity gets confused by this - it sees the byteswap in fdt32_ld() and assumes that means it is coming from an untrusted source everytime, resulting in many tainted data warnings. Most of these end up with logic in fdt_get_string() as the unsafe destination for this tainted data, so let's tweak the logic there to make it clearer to Coverity that this is ok. We add a sanity test on fdt_totalsize() to fdt_probe_ro_(). Because the interface allows bare ints to be used for offsets, we already have the assumption that totalsize must be 31-bits or less (2GiB would be a ludicrously large fdt). This makes this more explicit. We also make fdt_probe_ro() return the size for convenience, and change the logic in fdt_get_string() to keep it in a local so that Coverity can see that it has already been bounds-checked. Signed-off-by: David Gibson --- cpukit/dtc/libfdt/fdt_ro.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'cpukit/dtc/libfdt/fdt_ro.c') diff --git a/cpukit/dtc/libfdt/fdt_ro.c b/cpukit/dtc/libfdt/fdt_ro.c index 6fd9ec170d..a5c2797cde 100644 --- a/cpukit/dtc/libfdt/fdt_ro.c +++ b/cpukit/dtc/libfdt/fdt_ro.c @@ -33,19 +33,20 @@ static int fdt_nodename_eq_(const void *fdt, int offset, const char *fdt_get_string(const void *fdt, int stroffset, int *lenp) { + int32_t totalsize = fdt_ro_probe_(fdt); uint32_t absoffset = stroffset + fdt_off_dt_strings(fdt); size_t len; int err; const char *s, *n; - err = fdt_ro_probe_(fdt); - if (err != 0) + err = totalsize; + if (totalsize < 0) goto fail; err = -FDT_ERR_BADOFFSET; - if (absoffset >= fdt_totalsize(fdt)) + if (absoffset >= totalsize) goto fail; - len = fdt_totalsize(fdt) - absoffset; + len = totalsize - absoffset; if (fdt_magic(fdt) == FDT_MAGIC) { if (stroffset < 0) @@ -288,7 +289,7 @@ const char *fdt_get_name(const void *fdt, int nodeoffset, int *len) const char *nameptr; int err; - if (((err = fdt_ro_probe_(fdt)) != 0) + if (((err = fdt_ro_probe_(fdt)) < 0) || ((err = fdt_check_node_offset_(fdt, nodeoffset)) < 0)) goto fail; -- cgit v1.2.3