fdt_support: bound serialN alias length before copying to stack

fdt_fixup_stdout() reads the path stored in /aliases/serialN with
fdt_getprop() and then memcpys it into a fixed 256-byte stack buffer.
The length returned by libfdt is the raw on-disk property size and is
not bounded by any console-path convention, so an oversized property
in a malformed or untrusted devicetree overflows the buffer with
attacker-controlled length and contents. The "/* long enough */"
comment next to tmp[] codifies an unchecked assumption.

Reject lengths that exceed sizeof(tmp) with a debug-only message and
return -FDT_ERR_NOSPACE. The fixup runs during fdt_chosen() on every
booted kernel when CONFIG_OF_STDOUT_VIA_ALIAS is enabled, and when
the OS devicetree is not signature-verified the property is reachable
from an attacker-influenced blob. Using debug() rather than printf()
keeps the rejection text out of production builds so there is no
.text or .rodata growth on space-constrained targets.

Signed-off-by: Aristo Chen <[email protected]>

0 files changed, 0 insertions, 0 deletions