From 0b2939464feef001e4d4b69578f29a7a4d572fcd Mon Sep 17 00:00:00 2001
From: James Hilliard <james.hilliard1@gmail.com>
Date: Mon, 23 Feb 2026 13:40:04 -0700
Subject: boot: fit: validate FDT/DTO payload before fdt_open_into()

boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
base FDT and overlay DTO blobs loaded from a FIT image.

Those blobs come from FIT payload data. In the overlay path,
fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
header check in fit_image_load() is skipped. This leaves fdt_open_into()
to consume header-derived offsets/sizes from unvalidated input.

Validate the full blob against the payload length first with
fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).

Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT copies")
Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 boot/image-fit.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'boot')

diff --git a/boot/image-fit.c b/boot/image-fit.c
index ddc64debb14..e7c7212195f 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -2390,6 +2390,14 @@ static int boot_get_fdt_fit_into_buffer(const void *src, ulong srclen,
 		fdtsrcbuf = tmp;
 	}
 
+	/*
+	 * Source data comes from FIT payload. Validate the blob against
+	 * payload length before fdt_open_into() trusts header offsets/sizes.
+	 */
+	err = fdt_check_full(fdtsrcbuf, srclen);
+	if (err < 0)
+		goto out;
+
 	newdstlen = ALIGN(fdt_totalsize(fdtsrcbuf) + extra, SZ_4K);
 	min_dstlen = ALIGN(min_dstlen, SZ_4K);
 	if (newdstlen < min_dstlen)
-- 
cgit v1.2.3