diff options
author | Anton Blanchard <anton@samba.org> | 2016-01-03 08:43:35 +1100 |
---|---|---|
committer | David Gibson <david@gibson.dropbear.id.au> | 2016-02-19 01:08:46 +1100 |
commit | 2e53f9d2f0a8faab6cec0d78958d52c155f6c6eb (patch) | |
tree | 1c498c162608ead00ad8e841967b426df45293b4 /tests/trees.S | |
parent | b06e55c88b9b922ff7e25cd62a4709b65524f0fc (diff) | |
download | dtc-2e53f9d2f0a8faab6cec0d78958d52c155f6c6eb.zip dtc-2e53f9d2f0a8faab6cec0d78958d52c155f6c6eb.tar.gz dtc-2e53f9d2f0a8faab6cec0d78958d52c155f6c6eb.tar.bz2 |
Catch unsigned 32bit overflow when parsing flattened device tree offsets
We have a couple of checks of the form:
if (offset+size > totalsize)
die();
We need to check that offset+size doesn't overflow, otherwise the check
will pass, and we may access past totalsize.
Found with AFL.
Signed-off-by: Anton Blanchard <anton@samba.org>
[Added a testcase]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'tests/trees.S')
-rw-r--r-- | tests/trees.S | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/tests/trees.S b/tests/trees.S index 2389cd3..3d24aa2 100644 --- a/tests/trees.S +++ b/tests/trees.S @@ -209,3 +209,34 @@ bad_prop_char_strings: STRING(bad_prop_char, prop, "prop$erty") bad_prop_char_strings_end: bad_prop_char_end: + + + /* overflow_size_strings */ + .balign 8 + .globl _ovf_size_strings +_ovf_size_strings: +ovf_size_strings: + FDTLONG(FDT_MAGIC) + FDTLONG(ovf_size_strings_end - ovf_size_strings) + FDTLONG(ovf_size_strings_struct - ovf_size_strings) + FDTLONG(ovf_size_strings_strings - ovf_size_strings) + FDTLONG(ovf_size_strings_rsvmap - ovf_size_strings) + FDTLONG(0x11) + FDTLONG(0x10) + FDTLONG(0) + FDTLONG(0xffffffff) + FDTLONG(ovf_size_strings_struct_end - ovf_size_strings_struct) + EMPTY_RSVMAP(ovf_size_strings) + +ovf_size_strings_struct: + BEGIN_NODE("") + PROP_INT(ovf_size_strings, bad_string, 0) + END_NODE + FDTLONG(FDT_END) +ovf_size_strings_struct_end: + +ovf_size_strings_strings: + STRING(ovf_size_strings, x, "x") + ovf_size_strings_bad_string = ovf_size_strings_strings + 0x10000000 +ovf_size_strings_strings_end: +ovf_size_strings_end: |