diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2018-03-09 23:28:56 +1100 |
---|---|---|
committer | David Gibson <david@gibson.dropbear.id.au> | 2018-06-07 11:48:20 +1000 |
commit | d5db5382c5e583d184e4484662eb87f1999d4a46 (patch) | |
tree | b464c3bd120fd6aac9abaa4b09f349658bb5e889 /tests/trees.S | |
parent | 719d582e98ec9c696c3e3c74e6efb357fd2168f8 (diff) | |
download | dtc-d5db5382c5e583d184e4484662eb87f1999d4a46.zip dtc-d5db5382c5e583d184e4484662eb87f1999d4a46.tar.gz dtc-d5db5382c5e583d184e4484662eb87f1999d4a46.tar.bz2 |
libfdt: Safer access to memory reservations
fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their
parameters, or the memory reserve section offset in the header. That means
that on a corrupted blob they could access outside of the range of memory
that they should.
This improves their safety checking, meaning they shouldn't access outside
the blob's bounds, even if its contents are badly corrupted.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'tests/trees.S')
-rw-r--r-- | tests/trees.S | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/trees.S b/tests/trees.S index 7ae1bde..efab287 100644 --- a/tests/trees.S +++ b/tests/trees.S @@ -259,3 +259,23 @@ truncated_string_bad_string: /* NOTE: terminating \0 deliberately missing */ truncated_string_strings_end: truncated_string_end: + + + /* truncated_memrsv */ + TREE_HDR(truncated_memrsv) + +truncated_memrsv_struct: + BEGIN_NODE("") + END_NODE + FDTLONG(FDT_END) +truncated_memrsv_struct_end: + +truncated_memrsv_strings: +truncated_memrsv_strings_end: + + .balign 8 +truncated_memrsv_rsvmap: + RSVMAP_ENTRY(TEST_ADDR_1H, TEST_ADDR_1L, TEST_SIZE_1H, TEST_SIZE_1L) +truncated_memrsv_rsvmap_end: + +truncated_memrsv_end: |