ANDROID: Revert "Fix integer wrap sanitisation."

This reverts commit 0e783e26f7. Revert the patch we've had in Android now that upstream has [1] commit 73590342fc85 ("libfdt: prevent integer overflow in fdt_next_tag") which addresses the same bug. As that patch is less rigorous w.r.t. the final value of 'offset' than the one, the last 'if' is upstreamed by [2], which will be cherry-picked here. [1]: 73590342fc [2]: https://lore.kernel.org/devicetree-compiler/20231011172427.g4tlsew3wsjtddil@google.com/ Test: N/A Change-Id: I662a599713b4090abd090322bca0a78e58f4c92c
2023-10-06 14:39:12 +01:00
parent 8246453859
commit bb2b54f19e
1 changed files with 5 additions and 14 deletions
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -188,20 +188,12 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
 		break;

 	case FDT_PROP:
-		lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE);
+		lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
 		if (!can_assume(VALID_DTB) && !lenp)
 			return FDT_END; /* premature end */
-
-		/* skip name offset, length */
-		offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
-
-		if (!can_assume(VALID_DTB)
-		    && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
-			return FDT_END; /* premature end */
-
-		/* skip value */
-		offset += fdt32_to_cpu(*lenp);
-
+		/* skip-name offset, length and value */
+		offset += sizeof(struct fdt_property) - FDT_TAGSIZE
+			+ fdt32_to_cpu(*lenp);
 		if (!can_assume(LATEST) &&
 		    fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
 		    ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
@@ -217,8 +209,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
 		return FDT_END;
 	}

-	if (!can_assume(VALID_DTB) && (offset <= startoffset
-	    || !fdt_offset_ptr(fdt, startoffset, offset - startoffset)))
+	if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
 		return FDT_END; /* premature end */

 	*nextoffset = FDT_TAGALIGN(offset);