From patchwork Mon Jun  4 00:22:44 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Teddy Reed <teddy.reed@gmail.com>
X-Patchwork-Id: 924784
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="FzXSHR0d"; dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 40zbHk5zpSz9rxs
	for <incoming@patchwork.ozlabs.org>;
	Mon,  4 Jun 2018 10:22:57 +1000 (AEST)
Received: by lists.denx.de (Postfix, from userid 105)
	id 17E81C21E77; Mon,  4 Jun 2018 00:22:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,
	T_DKIM_INVALID autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 90115C21D56;
	Mon,  4 Jun 2018 00:22:48 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 8908BC21D56; Mon,  4 Jun 2018 00:22:47 +0000 (UTC)
Received: from mail-qt0-f196.google.com (mail-qt0-f196.google.com
	[209.85.216.196])
	by lists.denx.de (Postfix) with ESMTPS id 08F3EC21C8B
	for <u-boot@lists.denx.de>; Mon,  4 Jun 2018 00:22:47 +0000 (UTC)
Received: by mail-qt0-f196.google.com with SMTP id p23-v6so13880391qtn.6
	for <u-boot@lists.denx.de>; Sun, 03 Jun 2018 17:22:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=date:from:to:cc:subject:message-id:mime-version
	:content-transfer-encoding;
	bh=HM3Mp3I3T7uI9TsxTI5Vw5qTrhUYYI+uIIpucFjnaoc=;
	b=FzXSHR0duONAMeP2Pqh5faldgaZq608ejJMuq4AKhKTGseA3VSKTxRPbJezyT8iIV7
	tcw75L/Zge+zEcab/ijbU4/tkVCWN/RAnj/VKN7q4YenYxkFhFjCL9p6EBvXgN45bIxb
	CfqfqjOYBMkreIm8cKhSPWIdTjeyyQqUYplih5rmtn4g2RgKOuJna5i0Qj87dZjlZzJh
	8z3FwxuBVwh5Y6FHHcauu+iPeUQFrKA7qyWo0xGSsK1MNbmrCI12Z0o2HS3CvAWZRfVL
	Xf9TAk7hlRcQsD1Dil7jImRdbk2/ZJAveTlUSK/g0D6x0SqdM7BnfGRDrjNGp9FGLBr9
	XDPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-transfer-encoding;
	bh=HM3Mp3I3T7uI9TsxTI5Vw5qTrhUYYI+uIIpucFjnaoc=;
	b=ldf4rGSzZyCP6ueg/LHdkddUVqNrmNwzi2XKr01ul3N82GJRz1QDaVKkKVJKxq+ADX
	lSgYPni9ietyHQEjKSC1oc9Kt1zqqXq/Z4prZX6vvtrH8QDcIRi3mhj2lfZoT6JBIbw1
	wpnec4VyzuShTL46qsSfiwd6ONpxcC2J/tlqGT7NrOPjesg3v9BaE6SA62qK41Zz+6cg
	mU4R+cpVgHVpseJKGvaTA+MfFDx+0MrrDmTRhj8a3Zny645yivP10lhVYZF7PQLwRkXM
	DfLTCcahLgz6Yp6+V+d7L9zmmGml0Y6nBu7M0W/i7fSfNDULj4l8ZjoRyTsf5j3eyLj2
	dgeg==
X-Gm-Message-State: APt69E3TSv9upCCTLQCEkU2NpNP43rnGdRo75u2ibu9c3+qPQAyMoPET
	oOy5PEf0xdfNywZaUAtnJDYTMUMR
X-Google-Smtp-Source: 
 ADUXVKJllMeF9nVYxJH8ysLuBZ8zvqNlYlQB5jZURtiodg7MPiH9jaTClpUHPfAn/n3Z3bPDDuglNQ==
X-Received: by 2002:ac8:1a74:: with SMTP id
	q49-v6mr18928044qtk.142.1528071765672;
	Sun, 03 Jun 2018 17:22:45 -0700 (PDT)
Received: from maverics (pool-108-35-88-207.nwrknj.fios.verizon.net.
	[108.35.88.207]) by smtp.gmail.com with ESMTPSA id
	i8-v6sm33821184qtb.11.2018.06.03.17.22.44
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 03 Jun 2018 17:22:45 -0700 (PDT)
Date: Sun, 3 Jun 2018 20:22:44 -0400
From: Teddy Reed <teddy.reed@gmail.com>
To: u-boot@lists.denx.de
Message-Id: <20180603202244.2c6a88e14dd9cfb67f0cee04@gmail.com>
X-Mailer: Sylpheed 3.5.0 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Subject: [U-Boot] [PATCH] fdt: Fix string property comparison overflow
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

FDT property searching can overflow when comparing strings. This will
result in undefined behavior.

This check assures that property name lengths do not overrun the string
region or the totalsize.

Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
---
 lib/libfdt/fdt_ro.c      | 5 +++++
 scripts/dtc/libfdt/fdt.c | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/lib/libfdt/fdt_ro.c b/lib/libfdt/fdt_ro.c
index b6ca4e0..612f3ac 100644
--- a/lib/libfdt/fdt_ro.c
+++ b/lib/libfdt/fdt_ro.c
@@ -42,6 +42,11 @@ const char *fdt_string(const void *fdt, int stroffset)
 static int _fdt_string_eq(const void *fdt, int stroffset,
 			  const char *s, int len)
 {
+	int total_off = fdt_off_dt_strings(fdt) + stroffset;
+	if (total_off + len + 1 < total_off ||
+	    total_off + len + 1 > fdt_totalsize(fdt))
+		return 0;
+
 	const char *p = fdt_string(fdt, stroffset);
 
 	return (strnlen(p, len + 1) == len) && (memcmp(p, s, len) == 0);
diff --git a/scripts/dtc/libfdt/fdt.c b/scripts/dtc/libfdt/fdt.c
index 7855a17..dffd28d 100644
--- a/scripts/dtc/libfdt/fdt.c
+++ b/scripts/dtc/libfdt/fdt.c
@@ -57,6 +57,8 @@
 
 int fdt_check_header(const void *fdt)
 {
+	if (fdt == NULL)
+		return -FDT_ERR_BADSTRUCTURE;
 	if (fdt_magic(fdt) == FDT_MAGIC) {
 		/* Complete tree */
 		if (fdt_version(fdt) < FDT_FIRST_SUPPORTED_VERSION)