[PATCH v2] libfdt: check for potential overrun in _fdt_splice()

2015-12-01 Thread Bjorn Andersson 
From: Courtney Cavin 

This patch catches the conditions where:
 - 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
 - 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow

Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.

Signed-off-by: Courtney Cavin 
Signed-off-by: Bjorn Andersson 
---
 libfdt/fdt_rw.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c
index 70adec6c371b..8be02b1f68f3 100644
--- a/libfdt/fdt_rw.c
+++ b/libfdt/fdt_rw.c
@@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int 
oldlen, int newlen)
 
if (((p + oldlen) < p) || ((p + oldlen) > end))
return -FDT_ERR_BADOFFSET;
+   if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
+   return -FDT_ERR_BADOFFSET;
if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
return -FDT_ERR_NOSPACE;
memmove(p + newlen, p + oldlen, end - p - oldlen);
-- 
2.4.2

--
To unsubscribe from this list: send the line "unsubscribe devicetree-compiler" 
in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] libfdt: check for potential overrun in _fdt_splice()

2015-12-01 Thread David Gibson 
On Tue, Dec 01, 2015 at 04:43:10PM -0800, Bjorn Andersson wrote:
> From: Courtney Cavin 
> 
> This patch catches the conditions where:
>  - 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
>  - 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow
> 
> Either of these cases can be caused by math which overflows in calling
> functions, or by sizes specified through dynamic means.
> 
> Signed-off-by: Courtney Cavin 
> Signed-off-by: Bjorn Andersson 

Applied, thanks.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature