On Mon, Feb 15, 2021 at 05:08:05PM -0700, Simon Glass wrote: > At present fdt_find_regions() assumes that the FIT is a valid devicetree. > If the FIT has two root nodes this is currently not detected in this > function, nor does libfdt's fdt_check_full() notice. Also it is possible > for the root node to have a name even though it should not. > > Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is > detected. > > CVE-2021-27097 > > Signed-off-by: Simon Glass <s...@chromium.org> > Reported-by: Bruce Monroe <bruce.mon...@intel.com> > Reported-by: Arie Haenel <arie.hae...@intel.com> > Reported-by: Julien Lenoir <julien.len...@intel.com>
Applied to u-boot/master, thanks! -- Tom
signature.asc
Description: PGP signature