|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] xen/dt-overlay: check overlay size before memcmp in tracker lookup
commit a7b7a50b33da3e38a2bea6120fcbf119945751b8
Author: Michal Orzel <michal.orzel@xxxxxxx>
AuthorDate: Wed Apr 15 13:36:57 2026 +0200
Commit: Michal Orzel <michal.orzel@xxxxxxx>
CommitDate: Wed Apr 29 07:37:58 2026 +0200
xen/dt-overlay: check overlay size before memcmp in tracker lookup
find_track_entry_from_tracker() compares overlay_fdt_size bytes of the
stored overlay against the input without verifying that the stored
overlay is at least that large. If the input is larger, memcmp reads
past the stored allocation. If smaller, a prefix match could falsely
succeed.
Compare fdt_totalsize() of the stored overlay against overlay_fdt_size
first. Both values are validated by check_overlay_fdt() at their
respective entry points, so no additional field in overlay_track is
needed.
Fixes: 7e5c4a8b86f1 ("xen/arm: Implement device tree node removal
functionalities")
Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>
Acked-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
xen/common/device-tree/dt-overlay.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xen/common/device-tree/dt-overlay.c
b/xen/common/device-tree/dt-overlay.c
index 3853e6e347..0eed1532a1 100644
--- a/xen/common/device-tree/dt-overlay.c
+++ b/xen/common/device-tree/dt-overlay.c
@@ -379,7 +379,8 @@ find_track_entry_from_tracker(const void *overlay_fdt,
*/
list_for_each_entry_safe( entry, temp, &overlay_tracker, entry )
{
- if ( memcmp(entry->overlay_fdt, overlay_fdt, overlay_fdt_size) == 0 )
+ if ( (fdt_totalsize(entry->overlay_fdt) == overlay_fdt_size) &&
+ !memcmp(entry->overlay_fdt, overlay_fdt, overlay_fdt_size) )
{
found_entry = true;
break;
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |