diff options
| author | 2022-07-26 15:59:06 +0100 | |
|---|---|---|
| committer | 2022-09-09 15:34:14 +0100 | |
| commit | 3afda967bc78d227b521d945f2ade2475974f1dc (patch) | |
| tree | a90a896f90ab14aaafb169210ee770e75230e1c2 /fuzzing | |
| parent | f500e27127cc8f2e9345fceedf2cef604eb38c9d (diff) | |
ANDROID: fuzz: Only check valid phandles
Ignore invalid phandles from fdt_get_phandle().
Update the assert() to avoid false positives, as per the libfdt API:
```
* fdt_node_offset_by_phandle() returns the offset of the node
* which has the given phandle value. If there is more than one node
* in the tree with the given phandle (an invalid tree), results are
* undefined.
```
Bug: 240612647
Test: SANITIZE_HOST=address m libfdt_fuzzer
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Change-Id: Ifbb6a25ab6bd1463afccc88f9756d34c3cf59717
Diffstat (limited to 'fuzzing')
| -rw-r--r-- | fuzzing/libfdt_fuzzer.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/fuzzing/libfdt_fuzzer.c b/fuzzing/libfdt_fuzzer.c index 98e03c8..89fe3c2 100644 --- a/fuzzing/libfdt_fuzzer.c +++ b/fuzzing/libfdt_fuzzer.c @@ -55,6 +55,9 @@ static void check_mem(const void *mem, size_t len) { #endif } +static bool phandle_is_valid(uint32_t phandle) { + return phandle != 0 && phandle != UINT32_MAX; +} static void walk_device_tree(const void *device_tree, int parent_node) { int len = 0; @@ -64,8 +67,9 @@ static void walk_device_tree(const void *device_tree, int parent_node) { } uint32_t phandle = fdt_get_phandle(device_tree, parent_node); - if (phandle != 0) { - assert(parent_node == fdt_node_offset_by_phandle(device_tree, phandle)); + if (phandle_is_valid(phandle)) { + int node = fdt_node_offset_by_phandle(device_tree, phandle); + assert(node >= 0); // it should at least find parent_node } // recursively walk the node's children |