random-mirrors/smaeul-u-boot
1
0
Fork 0
mirror of https://github.com/smaeul/u-boot.git synced 2025-10-13 20:36:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

fdt: Fix bounds check in devfdt_get_addr_index

Browse Source 
reg must contain enough cells for the entire next address/size pair
after skipping `index` pairs. The previous code allows an out-of-bounds
read when na + ns > 1.

Series-to: Simon Glass <sjg@chromium.org>

Fixes: 69b41388ba45 ("dm: core: Add a new api to get indexed device address")
Signed-off-by: Samuel Holland <samuel@sholland.org>
This commit is contained in:
Samuel Holland 2022-10-30 14:53:45 -05:00
parent a90afc6730
commit f2a2765625
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/core/fdtaddr.c
View File

@ -43,7 +43,7 @@ fdt_addr_t devfdt_get_addr_index(const struct udevice *dev, int index)
} }
reg = fdt_getprop(gd->fdt_blob, offset, "reg", &len); reg = fdt_getprop(gd->fdt_blob, offset, "reg", &len);
if (!reg || (len <= (index * sizeof(fdt32_t) * (na + ns)))) { if (!reg || (len < ((index + 1) * sizeof(fdt32_t) * (na + ns)))) {
debug("Req index out of range\n"); debug("Req index out of range\n");
return FDT_ADDR_T_NONE; return FDT_ADDR_T_NONE;
} }