On Mon, Feb 23, 2026 at 01:40:04PM -0700, James Hilliard wrote:
> boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
> base FDT and overlay DTO blobs loaded from a FIT image.
>
> Those blobs come from FIT payload data. In the overlay path,
> fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
> header check in fit_image_load() is skipped. This leaves fdt_open_into()
> to consume header-derived offsets/sizes from unvalidated input.
>
> Validate the full blob against the payload length first with
> fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
> fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).
>
> Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT
> copies")
> Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
> Signed-off-by: James Hilliard <[email protected]>Thanks for such a quick response. Addresses-Coverity-ID: 644638 (TAINTED_SCALAR) Reviewed-by: Tom Rini <[email protected]> -- Tom
signature.asc
Description: PGP signature
