| Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame^] | 1 | From 8a7d4cf9820ea16fabd25a6379351b4dc291204b Mon Sep 17 00:00:00 2001 |
| 2 | From: Simon Glass <sjg@chromium.org> |
| 3 | Date: Mon, 15 Feb 2021 17:08:05 -0700 |
| 4 | Subject: [PATCH] fdt_region: Check for a single root node of the correct name |
| 5 | |
| 6 | At present fdt_find_regions() assumes that the FIT is a valid devicetree. |
| 7 | If the FIT has two root nodes this is currently not detected in this |
| 8 | function, nor does libfdt's fdt_check_full() notice. Also it is possible |
| 9 | for the root node to have a name even though it should not. |
| 10 | |
| 11 | Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is |
| 12 | detected. |
| 13 | |
| 14 | CVE-2021-27097 |
| 15 | |
| 16 | Signed-off-by: Simon Glass <sjg@chromium.org> |
| 17 | Reported-by: Bruce Monroe <bruce.monroe@intel.com> |
| 18 | Reported-by: Arie Haenel <arie.haenel@intel.com> |
| 19 | Reported-by: Julien Lenoir <julien.lenoir@intel.com> |
| 20 | |
| 21 | CVE: CVE-2021-27097 |
| 22 | Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b] |
| 23 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> |
| 24 | |
| 25 | --- |
| 26 | common/fdt_region.c | 11 +++++++++++ |
| 27 | 1 file changed, 11 insertions(+) |
| 28 | |
| 29 | diff --git a/common/fdt_region.c b/common/fdt_region.c |
| 30 | index ff12c518e9..e4ef0ca770 100644 |
| 31 | --- a/common/fdt_region.c |
| 32 | +++ b/common/fdt_region.c |
| 33 | @@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, |
| 34 | int depth = -1; |
| 35 | int want = 0; |
| 36 | int base = fdt_off_dt_struct(fdt); |
| 37 | + bool expect_end = false; |
| 38 | |
| 39 | end = path; |
| 40 | *end = '\0'; |
| 41 | @@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, |
| 42 | tag = fdt_next_tag(fdt, offset, &nextoffset); |
| 43 | stop_at = nextoffset; |
| 44 | |
| 45 | + /* If we see two root nodes, something is wrong */ |
| 46 | + if (expect_end && tag != FDT_END) |
| 47 | + return -FDT_ERR_BADLAYOUT; |
| 48 | + |
| 49 | switch (tag) { |
| 50 | case FDT_PROP: |
| 51 | include = want >= 2; |
| 52 | @@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, |
| 53 | if (depth == FDT_MAX_DEPTH) |
| 54 | return -FDT_ERR_BADSTRUCTURE; |
| 55 | name = fdt_get_name(fdt, offset, &len); |
| 56 | + |
| 57 | + /* The root node must have an empty name */ |
| 58 | + if (!depth && *name) |
| 59 | + return -FDT_ERR_BADLAYOUT; |
| 60 | if (end - path + 2 + len >= path_len) |
| 61 | return -FDT_ERR_NOSPACE; |
| 62 | if (end != path + 1) |
| 63 | @@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, |
| 64 | while (end > path && *--end != '/') |
| 65 | ; |
| 66 | *end = '\0'; |
| 67 | + if (depth == -1) |
| 68 | + expect_end = true; |
| 69 | break; |
| 70 | |
| 71 | case FDT_END: |