From d5db5382c5e583d184e4484662eb87f1999d4a46 Mon Sep 17 00:00:00 2001 From: David Gibson Date: Fri, 9 Mar 2018 23:28:56 +1100 Subject: libfdt: Safer access to memory reservations fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their parameters, or the memory reserve section offset in the header. That means that on a corrupted blob they could access outside of the range of memory that they should. This improves their safety checking, meaning they shouldn't access outside the blob's bounds, even if its contents are badly corrupted. Signed-off-by: David Gibson Tested-by: Alexey Kardashevskiy Reviewed-by: Alexey Kardashevskiy Reviewed-by: Simon Glass --- tests/trees.S | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'tests/trees.S') diff --git a/tests/trees.S b/tests/trees.S index 7ae1bde..efab287 100644 --- a/tests/trees.S +++ b/tests/trees.S @@ -259,3 +259,23 @@ truncated_string_bad_string: /* NOTE: terminating \0 deliberately missing */ truncated_string_strings_end: truncated_string_end: + + + /* truncated_memrsv */ + TREE_HDR(truncated_memrsv) + +truncated_memrsv_struct: + BEGIN_NODE("") + END_NODE + FDTLONG(FDT_END) +truncated_memrsv_struct_end: + +truncated_memrsv_strings: +truncated_memrsv_strings_end: + + .balign 8 +truncated_memrsv_rsvmap: + RSVMAP_ENTRY(TEST_ADDR_1H, TEST_ADDR_1L, TEST_SIZE_1H, TEST_SIZE_1L) +truncated_memrsv_rsvmap_end: + +truncated_memrsv_end: -- cgit v1.1