diff options
| author | 2023-10-06 14:39:12 +0100 | |
|---|---|---|
| committer | 2023-10-11 18:31:44 +0100 | |
| commit | bb2b54f19e202d5781ec6c05b3d584fcd85cddcc (patch) | |
| tree | 6d6c5c679a5ccf01f9ec1b7c37e4d4002289446e | |
| parent | 824645385979cf00626c048fcc5443e7209af458 (diff) | |
ANDROID: Revert "Fix integer wrap sanitisation."
This reverts commit 0e783e26f75c08e421467ca4a6c21ff2589cd2fa.
Revert the patch we've had in Android now that upstream has [1]
commit 73590342fc85 ("libfdt: prevent integer overflow in fdt_next_tag")
which addresses the same bug.
As that patch is less rigorous w.r.t. the final value of 'offset' than
the one, the last 'if' is upstreamed by [2], which will be cherry-picked
here.
[1]: https://android.googlesource.com/platform/external/dtc/+/73590342fc85ca207ca1e6cbc110179873a96962
[2]: https://lore.kernel.org/devicetree-compiler/20231011172427.g4tlsew3wsjtddil@google.com/
Test: N/A
Change-Id: I662a599713b4090abd090322bca0a78e58f4c92c
| -rw-r--r-- | libfdt/fdt.c | 19 |
1 files changed, 5 insertions, 14 deletions
diff --git a/libfdt/fdt.c b/libfdt/fdt.c index c17cad5..9fe7cf4 100644 --- a/libfdt/fdt.c +++ b/libfdt/fdt.c @@ -188,20 +188,12 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) break; case FDT_PROP: - lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE); + lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); if (!can_assume(VALID_DTB) && !lenp) return FDT_END; /* premature end */ - - /* skip name offset, length */ - offset += sizeof(struct fdt_property) - FDT_TAGSIZE; - - if (!can_assume(VALID_DTB) - && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp))) - return FDT_END; /* premature end */ - - /* skip value */ - offset += fdt32_to_cpu(*lenp); - + /* skip-name offset, length and value */ + offset += sizeof(struct fdt_property) - FDT_TAGSIZE + + fdt32_to_cpu(*lenp); if (!can_assume(LATEST) && fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 && ((offset - fdt32_to_cpu(*lenp)) % 8) != 0) @@ -217,8 +209,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) return FDT_END; } - if (!can_assume(VALID_DTB) && (offset <= startoffset - || !fdt_offset_ptr(fdt, startoffset, offset - startoffset))) + if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset)) return FDT_END; /* premature end */ *nextoffset = FDT_TAGALIGN(offset); |