From bb2b54f19e202d5781ec6c05b3d584fcd85cddcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Cl=C3=A9ment=20Tosi?= Date: Fri, 6 Oct 2023 14:39:12 +0100 Subject: [PATCH] ANDROID: Revert "Fix integer wrap sanitisation." This reverts commit 0e783e26f75c08e421467ca4a6c21ff2589cd2fa. Revert the patch we've had in Android now that upstream has [1] commit 73590342fc85 ("libfdt: prevent integer overflow in fdt_next_tag") which addresses the same bug. As that patch is less rigorous w.r.t. the final value of 'offset' than the one, the last 'if' is upstreamed by [2], which will be cherry-picked here. [1]: https://android.googlesource.com/platform/external/dtc/+/73590342fc85ca207ca1e6cbc110179873a96962 [2]: https://lore.kernel.org/devicetree-compiler/20231011172427.g4tlsew3wsjtddil@google.com/ Test: N/A Change-Id: I662a599713b4090abd090322bca0a78e58f4c92c --- libfdt/fdt.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/libfdt/fdt.c b/libfdt/fdt.c index c17cad5..9fe7cf4 100644 --- a/libfdt/fdt.c +++ b/libfdt/fdt.c @@ -188,20 +188,12 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) break; case FDT_PROP: - lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE); + lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); if (!can_assume(VALID_DTB) && !lenp) return FDT_END; /* premature end */ - - /* skip name offset, length */ - offset += sizeof(struct fdt_property) - FDT_TAGSIZE; - - if (!can_assume(VALID_DTB) - && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp))) - return FDT_END; /* premature end */ - - /* skip value */ - offset += fdt32_to_cpu(*lenp); - + /* skip-name offset, length and value */ + offset += sizeof(struct fdt_property) - FDT_TAGSIZE + + fdt32_to_cpu(*lenp); if (!can_assume(LATEST) && fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 && ((offset - fdt32_to_cpu(*lenp)) % 8) != 0) @@ -217,8 +209,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) return FDT_END; } - if (!can_assume(VALID_DTB) && (offset <= startoffset - || !fdt_offset_ptr(fdt, startoffset, offset - startoffset))) + if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset)) return FDT_END; /* premature end */ *nextoffset = FDT_TAGALIGN(offset);