fdt_region: Check for a single root node of the correct name
At present fdt_find_regions() assumes that the FIT is a valid devicetree. If the FIT has two root nodes this is currently not detected in this function, nor does libfdt's fdt_check_full() notice. Also it is possible for the root node to have a name even though it should not. Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is detected. CVE-2021-27097 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com>
This commit is contained in:
parent
6144438fb5
commit
8a7d4cf982
|
@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
|
||||||
int depth = -1;
|
int depth = -1;
|
||||||
int want = 0;
|
int want = 0;
|
||||||
int base = fdt_off_dt_struct(fdt);
|
int base = fdt_off_dt_struct(fdt);
|
||||||
|
bool expect_end = false;
|
||||||
|
|
||||||
end = path;
|
end = path;
|
||||||
*end = '\0';
|
*end = '\0';
|
||||||
|
@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
|
||||||
tag = fdt_next_tag(fdt, offset, &nextoffset);
|
tag = fdt_next_tag(fdt, offset, &nextoffset);
|
||||||
stop_at = nextoffset;
|
stop_at = nextoffset;
|
||||||
|
|
||||||
|
/* If we see two root nodes, something is wrong */
|
||||||
|
if (expect_end && tag != FDT_END)
|
||||||
|
return -FDT_ERR_BADLAYOUT;
|
||||||
|
|
||||||
switch (tag) {
|
switch (tag) {
|
||||||
case FDT_PROP:
|
case FDT_PROP:
|
||||||
include = want >= 2;
|
include = want >= 2;
|
||||||
|
@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
|
||||||
if (depth == FDT_MAX_DEPTH)
|
if (depth == FDT_MAX_DEPTH)
|
||||||
return -FDT_ERR_BADSTRUCTURE;
|
return -FDT_ERR_BADSTRUCTURE;
|
||||||
name = fdt_get_name(fdt, offset, &len);
|
name = fdt_get_name(fdt, offset, &len);
|
||||||
|
|
||||||
|
/* The root node must have an empty name */
|
||||||
|
if (!depth && *name)
|
||||||
|
return -FDT_ERR_BADLAYOUT;
|
||||||
if (end - path + 2 + len >= path_len)
|
if (end - path + 2 + len >= path_len)
|
||||||
return -FDT_ERR_NOSPACE;
|
return -FDT_ERR_NOSPACE;
|
||||||
if (end != path + 1)
|
if (end != path + 1)
|
||||||
|
@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
|
||||||
while (end > path && *--end != '/')
|
while (end > path && *--end != '/')
|
||||||
;
|
;
|
||||||
*end = '\0';
|
*end = '\0';
|
||||||
|
if (depth == -1)
|
||||||
|
expect_end = true;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case FDT_END:
|
case FDT_END:
|
||||||
|
|
Loading…
Reference in New Issue