At present fdt_find_regions() assumes that the FIT is a valid devicetree.
If the FIT has two root nodes this is currently not detected in this
function, nor does libfdt's fdt_check_full() notice. Also it is possible
for the root node to have a name even though it should not.

Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
detected.

CVE-2021-27097

Signed-off-by: Simon Glass <s...@chromium.org>
Reported-by: Bruce Monroe <bruce.mon...@intel.com>
Reported-by: Arie Haenel <arie.hae...@intel.com>
Reported-by: Julien Lenoir <julien.len...@intel.com>
---

 common/fdt_region.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/common/fdt_region.c b/common/fdt_region.c
index ff12c518e97..e4ef0ca7703 100644
--- a/common/fdt_region.c
+++ b/common/fdt_region.c
@@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int 
inc_count,
        int depth = -1;
        int want = 0;
        int base = fdt_off_dt_struct(fdt);
+       bool expect_end = false;
 
        end = path;
        *end = '\0';
@@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], 
int inc_count,
                tag = fdt_next_tag(fdt, offset, &nextoffset);
                stop_at = nextoffset;
 
+               /* If we see two root nodes, something is wrong */
+               if (expect_end && tag != FDT_END)
+                       return -FDT_ERR_BADLAYOUT;
+
                switch (tag) {
                case FDT_PROP:
                        include = want >= 2;
@@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], 
int inc_count,
                        if (depth == FDT_MAX_DEPTH)
                                return -FDT_ERR_BADSTRUCTURE;
                        name = fdt_get_name(fdt, offset, &len);
+
+                       /* The root node must have an empty name */
+                       if (!depth && *name)
+                               return -FDT_ERR_BADLAYOUT;
                        if (end - path + 2 + len >= path_len)
                                return -FDT_ERR_NOSPACE;
                        if (end != path + 1)
@@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], 
int inc_count,
                        while (end > path && *--end != '/')
                                ;
                        *end = '\0';
+                       if (depth == -1)
+                               expect_end = true;
                        break;
 
                case FDT_END:
-- 
2.30.0.478.g8a0d178c01-goog

Reply via email to