diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2018-07-09 14:50:38 +1000 |
---|---|---|
committer | David Gibson <david@gibson.dropbear.id.au> | 2018-07-09 15:03:14 +1000 |
commit | 1087504bb3e8b00988e7bb99784eb02d4d9d9fd1 (patch) | |
tree | 14f6063b423e5ada775fa67176390f2a8d113e23 /libfdt | |
parent | c72fa777e61383850436f9f9cac3b0ddae41317b (diff) | |
download | dtc-1087504bb3e8b00988e7bb99784eb02d4d9d9fd1.zip dtc-1087504bb3e8b00988e7bb99784eb02d4d9d9fd1.tar.gz dtc-1087504bb3e8b00988e7bb99784eb02d4d9d9fd1.tar.bz2 |
libfdt: Add necessary header padding in fdt_create()
At present fdt_create() will succeed if there is exactly enough space to
put in the fdt header. However, it sets the off_mem_rsvmap field, a few
bytes past that in order to align the memory reservation block.
Having block pointers pointing past the end of the fdt is pretty ugly, even
if it is just a transient state. Worse, if fdt_resize() is called at
exactly the wrong time, it can end up accessing data past the blob's
allocated space because of this.
So, correct fdt_create() to ensure that there is sufficient space for the
alignment padding as well as the plain header. For paranoia, also add a
check in fdt_resize() to make sure we don't copy data from outside the
blob's bounds.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'libfdt')
-rw-r--r-- | libfdt/fdt_sw.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/libfdt/fdt_sw.c b/libfdt/fdt_sw.c index 024f4d8..9fa4a94 100644 --- a/libfdt/fdt_sw.c +++ b/libfdt/fdt_sw.c @@ -143,9 +143,11 @@ static void *fdt_grab_space_(void *fdt, size_t len) int fdt_create(void *buf, int bufsize) { + const size_t hdrsize = FDT_ALIGN(sizeof(struct fdt_header), + sizeof(struct fdt_reserve_entry)); void *fdt = buf; - if (bufsize < sizeof(struct fdt_header)) + if (bufsize < hdrsize) return -FDT_ERR_NOSPACE; memset(buf, 0, bufsize); @@ -155,8 +157,7 @@ int fdt_create(void *buf, int bufsize) fdt_set_last_comp_version(fdt, FDT_FIRST_SUPPORTED_VERSION); fdt_set_totalsize(fdt, bufsize); - fdt_set_off_mem_rsvmap(fdt, FDT_ALIGN(sizeof(struct fdt_header), - sizeof(struct fdt_reserve_entry))); + fdt_set_off_mem_rsvmap(fdt, hdrsize); fdt_set_off_dt_struct(fdt, fdt_off_mem_rsvmap(fdt)); fdt_set_off_dt_strings(fdt, 0); @@ -173,6 +174,9 @@ int fdt_resize(void *fdt, void *buf, int bufsize) headsize = fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt); tailsize = fdt_size_dt_strings(fdt); + if ((headsize + tailsize) > fdt_totalsize(fdt)) + return -FDT_ERR_INTERNAL; + if ((headsize + tailsize) > bufsize) return -FDT_ERR_NOSPACE; |