From 2e53f9d2f0a8faab6cec0d78958d52c155f6c6eb Mon Sep 17 00:00:00 2001 From: Anton Blanchard Date: Sun, 3 Jan 2016 08:43:35 +1100 Subject: Catch unsigned 32bit overflow when parsing flattened device tree offsets We have a couple of checks of the form: if (offset+size > totalsize) die(); We need to check that offset+size doesn't overflow, otherwise the check will pass, and we may access past totalsize. Found with AFL. Signed-off-by: Anton Blanchard [Added a testcase] Signed-off-by: David Gibson --- tests/trees.S | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'tests/trees.S') diff --git a/tests/trees.S b/tests/trees.S index 2389cd3..3d24aa2 100644 --- a/tests/trees.S +++ b/tests/trees.S @@ -209,3 +209,34 @@ bad_prop_char_strings: STRING(bad_prop_char, prop, "prop$erty") bad_prop_char_strings_end: bad_prop_char_end: + + + /* overflow_size_strings */ + .balign 8 + .globl _ovf_size_strings +_ovf_size_strings: +ovf_size_strings: + FDTLONG(FDT_MAGIC) + FDTLONG(ovf_size_strings_end - ovf_size_strings) + FDTLONG(ovf_size_strings_struct - ovf_size_strings) + FDTLONG(ovf_size_strings_strings - ovf_size_strings) + FDTLONG(ovf_size_strings_rsvmap - ovf_size_strings) + FDTLONG(0x11) + FDTLONG(0x10) + FDTLONG(0) + FDTLONG(0xffffffff) + FDTLONG(ovf_size_strings_struct_end - ovf_size_strings_struct) + EMPTY_RSVMAP(ovf_size_strings) + +ovf_size_strings_struct: + BEGIN_NODE("") + PROP_INT(ovf_size_strings, bad_string, 0) + END_NODE + FDTLONG(FDT_END) +ovf_size_strings_struct_end: + +ovf_size_strings_strings: + STRING(ovf_size_strings, x, "x") + ovf_size_strings_bad_string = ovf_size_strings_strings + 0x10000000 +ovf_size_strings_strings_end: +ovf_size_strings_end: -- cgit v1.1