At present fdt_find_regions() assumes that the FIT is a valid devicetree. If the FIT has two root nodes this is currently not detected in this function, nor does libfdt's fdt_check_full() notice. Also it is possible for the root node to have a name even though it should not.
Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is detected. CVE-2021-27097 Signed-off-by: Simon Glass <s...@chromium.org> Reported-by: Bruce Monroe <bruce.mon...@intel.com> Reported-by: Arie Haenel <arie.hae...@intel.com> Reported-by: Julien Lenoir <julien.len...@intel.com> --- common/fdt_region.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/common/fdt_region.c b/common/fdt_region.c index ff12c518e97..e4ef0ca7703 100644 --- a/common/fdt_region.c +++ b/common/fdt_region.c @@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, int depth = -1; int want = 0; int base = fdt_off_dt_struct(fdt); + bool expect_end = false; end = path; *end = '\0'; @@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, tag = fdt_next_tag(fdt, offset, &nextoffset); stop_at = nextoffset; + /* If we see two root nodes, something is wrong */ + if (expect_end && tag != FDT_END) + return -FDT_ERR_BADLAYOUT; + switch (tag) { case FDT_PROP: include = want >= 2; @@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, if (depth == FDT_MAX_DEPTH) return -FDT_ERR_BADSTRUCTURE; name = fdt_get_name(fdt, offset, &len); + + /* The root node must have an empty name */ + if (!depth && *name) + return -FDT_ERR_BADLAYOUT; if (end - path + 2 + len >= path_len) return -FDT_ERR_NOSPACE; if (end != path + 1) @@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, while (end > path && *--end != '/') ; *end = '\0'; + if (depth == -1) + expect_end = true; break; case FDT_END: -- 2.30.0.478.g8a0d178c01-goog