[xen staging] xen/dt-overlay: check overlay size before memcmp in tracker lookup

[patchbot@xxxxxxx]

commit a7b7a50b33da3e38a2bea6120fcbf119945751b8
Author:     Michal Orzel <michal.orzel@xxxxxxx>
AuthorDate: Wed Apr 15 13:36:57 2026 +0200
Commit:     Michal Orzel <michal.orzel@xxxxxxx>
CommitDate: Wed Apr 29 07:37:58 2026 +0200

    xen/dt-overlay: check overlay size before memcmp in tracker lookup
    
    find_track_entry_from_tracker() compares overlay_fdt_size bytes of the
    stored overlay against the input without verifying that the stored
    overlay is at least that large. If the input is larger, memcmp reads
    past the stored allocation. If smaller, a prefix match could falsely
    succeed.
    
    Compare fdt_totalsize() of the stored overlay against overlay_fdt_size
    first. Both values are validated by check_overlay_fdt() at their
    respective entry points, so no additional field in overlay_track is
    needed.
    
    Fixes: 7e5c4a8b86f1 ("xen/arm: Implement device tree node removal 
functionalities")
    Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
    Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>
    Acked-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 xen/common/device-tree/dt-overlay.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/common/device-tree/dt-overlay.c 
b/xen/common/device-tree/dt-overlay.c
index 3853e6e347..0eed1532a1 100644
--- a/xen/common/device-tree/dt-overlay.c
+++ b/xen/common/device-tree/dt-overlay.c
@@ -379,7 +379,8 @@ find_track_entry_from_tracker(const void *overlay_fdt,
      */
     list_for_each_entry_safe( entry, temp, &overlay_tracker, entry )
     {
-        if ( memcmp(entry->overlay_fdt, overlay_fdt, overlay_fdt_size) == 0 )
+        if ( (fdt_totalsize(entry->overlay_fdt) == overlay_fdt_size) &&
+             !memcmp(entry->overlay_fdt, overlay_fdt, overlay_fdt_size) )
         {
             found_entry = true;
             break;
--
generated by git-patchbot for /home/xen/git/xen.git#staging