summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAristo Chen <[email protected]>2026-05-26 02:09:14 +0000
committerTom Rini <[email protected]>2026-06-11 12:01:15 -0600
commitca774b94d66332b6bd033369227ac487ad07d5e8 (patch)
treeb25c0c174a49dd3e203d5ef0278a81ada9efca4d
parent987907ae4bcc5d6055bdf7d318a3edf53e14d5fa (diff)
fdt_support: bound serialN alias length before copying to stack
fdt_fixup_stdout() reads the path stored in /aliases/serialN with fdt_getprop() and then memcpys it into a fixed 256-byte stack buffer. The length returned by libfdt is the raw on-disk property size and is not bounded by any console-path convention, so an oversized property in a malformed or untrusted devicetree overflows the buffer with attacker-controlled length and contents. The "/* long enough */" comment next to tmp[] codifies an unchecked assumption. Reject lengths that exceed sizeof(tmp) with a debug-only message and return -FDT_ERR_NOSPACE. The fixup runs during fdt_chosen() on every booted kernel when CONFIG_OF_STDOUT_VIA_ALIAS is enabled, and when the OS devicetree is not signature-verified the property is reachable from an attacker-influenced blob. Using debug() rather than printf() keeps the rejection text out of production builds so there is no .text or .rodata growth on space-constrained targets. Signed-off-by: Aristo Chen <[email protected]>
-rw-r--r--boot/fdt_support.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/boot/fdt_support.c b/boot/fdt_support.c
index 1c215e548db..bdf651364b4 100644
--- a/boot/fdt_support.c
+++ b/boot/fdt_support.c
@@ -160,6 +160,12 @@ static int fdt_fixup_stdout(void *fdt, int chosenoff)
goto noalias;
}
+ if (len > (int)sizeof(tmp)) {
+ debug("%s: %s alias path too long (%d bytes)\n",
+ __func__, sername, len);
+ return -FDT_ERR_NOSPACE;
+ }
+
/* fdt_setprop may break "path" so we copy it to tmp buffer */
memcpy(tmp, path, len);