Re: [Xen-devel] [PATCH 1/2] libfdt: Fix undefined behaviour in fdt_offset_ptr()

[Julien Grall <julien@xxxxxxx>]

Hi Jan,

On 13/03/2020 07:35, Jan Beulich wrote:
> From: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
>
> Using pointer arithmetic to generate a pointer outside a known object is,
> technically, undefined behaviour in C.  Unfortunately, we were using that
> in fdt_offset_ptr() to detect overflows.
>
> To fix this we need to do our bounds / overflow checking on the offsets
> before constructing pointers from them.
>
> Reported-by: David Binderman <dcb314@xxxxxxxxxxx>
> Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
> [upstream commit d0b3ab0a0f46ac929b4713da46f7fdcd893dd3bd]
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Julien Grall <jgrall@xxxxxxxxxx>

Cheers,

> --- a/xen/common/libfdt/fdt.c
> +++ b/xen/common/libfdt/fdt.c
> @@ -74,18 +74,19 @@ int fdt_check_header(const void *fdt)
>   
>   const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
>   {
> -       const char *p;
> +       unsigned absoffset = offset + fdt_off_dt_struct(fdt);
> +
> +       if ((absoffset < offset)
> +           || ((absoffset + len) < absoffset)
> +           || (absoffset + len) > fdt_totalsize(fdt))
> +               return NULL;
>   
>   	if (fdt_version(fdt) >= 0x11)
>                 if (((offset + len) < offset)
>                     || ((offset + len) > fdt_size_dt_struct(fdt)))
>                         return NULL;
>   
> -	p = _fdt_offset_ptr(fdt, offset);
> -
> -       if (p + len < p)
> -               return NULL;
> -       return p;
> +       return _fdt_offset_ptr(fdt, offset);
>   }
>   
>   uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel