[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen staging] libfdt: fix undefined behaviour in _fdt_splice()



commit 1faa954df18733792c33b3f5b1b4de4662cfa892
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Mar 17 16:20:08 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Mar 17 16:20:08 2020 +0100

    libfdt: fix undefined behaviour in _fdt_splice()
    
    Along the lines of commit d0b3ab0a0f46 ("libfdt: Fix undefined behaviour
    in fdt_offset_ptr()"), _fdt_splice() similarly may not use pointer
    arithmetic to do overflow checks.
    
    [upstream commit 73d6e9ecb4179b510408bc526240f829262df361]
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Julien Grall <jgrall@xxxxxxxxxx>
---
 xen/common/libfdt/fdt_rw.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/xen/common/libfdt/fdt_rw.c b/xen/common/libfdt/fdt_rw.c
index ee18bfc298..8b8cd25cc2 100644
--- a/xen/common/libfdt/fdt_rw.c
+++ b/xen/common/libfdt/fdt_rw.c
@@ -87,7 +87,7 @@ static int _fdt_rw_check_header(void *fdt)
                        return err; \
        }
 
-static inline int _fdt_data_size(void *fdt)
+static inline unsigned int _fdt_data_size(void *fdt)
 {
        return fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt);
 }
@@ -95,13 +95,14 @@ static inline int _fdt_data_size(void *fdt)
 static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen)
 {
        char *p = splicepoint;
-       char *end = (char *)fdt + _fdt_data_size(fdt);
+       unsigned int dsize = _fdt_data_size(fdt);
+       size_t soff = p - (char *)fdt;
 
-       if (((p + oldlen) < p) || ((p + oldlen) > end))
+       if (oldlen < 0 || soff + oldlen < soff || soff + oldlen > dsize)
                return -FDT_ERR_BADOFFSET;
-       if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
+       if (dsize - oldlen + newlen > fdt_totalsize(fdt))
                return -FDT_ERR_NOSPACE;
-       memmove(p + newlen, p + oldlen, end - p - oldlen);
+       memmove(p + newlen, p + oldlen, ((char *)fdt + dsize) - (p + oldlen));
        return 0;
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#staging

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.