[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/6] xen/dt-overlay: check overlay size before memcmp in tracker lookup

To: Luca Fancellu <Luca.Fancellu@xxxxxxx>
From: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Date: Tue, 21 Apr 2026 15:17:46 -0700 (PDT)
Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=k20201202 header.d=kernel.org header.i="@kernel.org" header.h="Date:From:To:cc:Subject:In-Reply-To:References"
Cc: Michal Orzel <michal.orzel@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
Delivery-date: Tue, 21 Apr 2026 22:17:50 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, 15 Apr 2026, Luca Fancellu wrote:
> Hi Michal,
> 
> > On 15 Apr 2026, at 12:36, Michal Orzel <michal.orzel@xxxxxxx> wrote:
> > 
> > find_track_entry_from_tracker() compares overlay_fdt_size bytes of the
> > stored overlay against the input without verifying that the stored
> > overlay is at least that large. If the input is larger, memcmp reads
> > past the stored allocation. If smaller, a prefix match could falsely
> > succeed.
> > 
> > Compare fdt_totalsize() of the stored overlay against overlay_fdt_size
> > first. Both values are validated by check_overlay_fdt() at their
> > respective entry points, so no additional field in overlay_track is
> > needed.
> > 
> > Fixes: 7e5c4a8b86f1 ("xen/arm: Implement device tree node removal 
> > functionalities")
> > Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
> > ---
> 
> Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>

Acked-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>

References:
- [PATCH 0/6] dt-overlay: some fixes and improvements
  - From: Michal Orzel
- [PATCH 3/6] xen/dt-overlay: check overlay size before memcmp in tracker lookup
  - From: Michal Orzel
- Re: [PATCH 3/6] xen/dt-overlay: check overlay size before memcmp in tracker lookup
  - From: Luca Fancellu

Prev by Date: Re: [PATCH 2/6] xen/dt-overlay: fix rangeset leak and dead code in domctl path
Next by Date: Re: [PATCH 4/6] xen/dt-overlay: fix silent success in dt_overlay_remove_node
Previous by thread: Re: [PATCH 3/6] xen/dt-overlay: check overlay size before memcmp in tracker lookup
Next by thread: [PATCH 2/6] xen/dt-overlay: fix rangeset leak and dead code in domctl path
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.