From 491c7b6f42a8101f1e84cf8e13a0e23b5eca729e Mon Sep 17 00:00:00 2001 From: David Gibson Date: Sun, 2 Oct 2016 17:59:26 -0600 Subject: libfdt: Fix undefined behaviour in fdt_offset_ptr() Using pointer arithmetic to generate a pointer outside a known object is, technically, undefined behaviour in C. Unfortunately, we were using that in fdt_offset_ptr() to detect overflows. To fix this we need to do our bounds / overflow checking on the offsets before constructing pointers from them. Reported-by: David Binderman Signed-off-by: David Gibson Signed-off-by: Simon Glass --- lib/libfdt/fdt.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/libfdt/fdt.c b/lib/libfdt/fdt.c index 96017a15a27..2055734012a 100644 --- a/lib/libfdt/fdt.c +++ b/lib/libfdt/fdt.c @@ -35,18 +35,19 @@ int fdt_check_header(const void *fdt) const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len) { - const char *p; + unsigned absoffset = offset + fdt_off_dt_struct(fdt); + + if ((absoffset < offset) + || ((absoffset + len) < absoffset) + || (absoffset + len) > fdt_totalsize(fdt)) + return NULL; if (fdt_version(fdt) >= 0x11) if (((offset + len) < offset) || ((offset + len) > fdt_size_dt_struct(fdt))) return NULL; - p = _fdt_offset_ptr(fdt, offset); - - if (p + len < p) - return NULL; - return p; + return _fdt_offset_ptr(fdt, offset); } uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) -- cgit v1.2.3 From 9c07b9877cf07a1a971a79ed7c2369a58c0baca2 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Sun, 2 Oct 2016 17:59:27 -0600 Subject: libfdt: Sync up with upstream This includes small changes to the following functions, from upstream commit 6d1832c: - fdt_get_max_phandle() (upstream commit 84e0e134) - fdt_node_check_compatible (upstream commit 53bf130b) - fdt_setprop_inplace_namelen_partial() to remove useless brackets and use idx instead of index - _fdt_resize_property() to use idx instead of index - _fdt_splice() (upstream commit d4c7c25c) It also includes various typo fixes in libfdt.h Signed-off-by: Simon Glass --- lib/libfdt/fdt_ro.c | 10 ++++------ lib/libfdt/fdt_rw.c | 4 +++- lib/libfdt/fdt_wip.c | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) (limited to 'lib') diff --git a/lib/libfdt/fdt_ro.c b/lib/libfdt/fdt_ro.c index 9cc98db6e2b..005f26736f8 100644 --- a/lib/libfdt/fdt_ro.c +++ b/lib/libfdt/fdt_ro.c @@ -60,11 +60,11 @@ uint32_t fdt_get_max_phandle(const void *fdt) return max_phandle; if (offset < 0) - return 0; + return (uint32_t)-1; phandle = fdt_get_phandle(fdt, offset); if (phandle == (uint32_t)-1) - return 0; + continue; if (phandle > max_phandle) max_phandle = phandle; @@ -623,10 +623,8 @@ int fdt_node_check_compatible(const void *fdt, int nodeoffset, prop = fdt_getprop(fdt, nodeoffset, "compatible", &len); if (!prop) return len; - if (fdt_stringlist_contains(prop, len, compatible)) - return 0; - else - return 1; + + return !fdt_stringlist_contains(prop, len, compatible); } int fdt_node_offset_by_compatible(const void *fdt, int startoffset, diff --git a/lib/libfdt/fdt_rw.c b/lib/libfdt/fdt_rw.c index 47447b2bce8..87d4030fb14 100644 --- a/lib/libfdt/fdt_rw.c +++ b/lib/libfdt/fdt_rw.c @@ -60,6 +60,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen) if (((p + oldlen) < p) || ((p + oldlen) > end)) return -FDT_ERR_BADOFFSET; + if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt)) + return -FDT_ERR_BADOFFSET; if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt))) return -FDT_ERR_NOSPACE; memmove(p + newlen, p + oldlen, end - p - oldlen); @@ -164,7 +166,7 @@ static int _fdt_resize_property(void *fdt, int nodeoffset, const char *name, int err; *prop = fdt_get_property_w(fdt, nodeoffset, name, &oldlen); - if (!(*prop)) + if (!*prop) return oldlen; if ((err = _fdt_splice_struct(fdt, (*prop)->data, FDT_TAGALIGN(oldlen), diff --git a/lib/libfdt/fdt_wip.c b/lib/libfdt/fdt_wip.c index 216c51287d0..45fb9641206 100644 --- a/lib/libfdt/fdt_wip.c +++ b/lib/libfdt/fdt_wip.c @@ -16,7 +16,7 @@ int fdt_setprop_inplace_namelen_partial(void *fdt, int nodeoffset, const char *name, int namelen, - uint32_t index, const void *val, + uint32_t idx, const void *val, int len) { void *propval; @@ -27,10 +27,10 @@ int fdt_setprop_inplace_namelen_partial(void *fdt, int nodeoffset, if (!propval) return proplen; - if (proplen < (len + index)) + if (proplen < (len + idx)) return -FDT_ERR_NOSPACE; - memcpy(propval + index, val, len); + memcpy((char *)propval + idx, val, len); return 0; } -- cgit v1.2.3 From b02e4044ff8ee1f6ac83917a39514172a9b449fb Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Sun, 2 Oct 2016 17:59:28 -0600 Subject: libfdt: Bring in upstream stringlist functions These have now landed upstream. The naming is different and in one case the function signature has changed. Update the code to match. This applies the following upstream commits by Thierry Reding : 604e61e fdt: Add functions to retrieve strings 8702bd1 fdt: Add a function to get the index of a string 2218387 fdt: Add a function to count strings Signed-off-by: Simon Glass --- lib/fdtdec.c | 2 +- lib/libfdt/fdt_ro.c | 104 ++++++++++++++++++++++++++++++++-------------------- 2 files changed, 65 insertions(+), 41 deletions(-) (limited to 'lib') diff --git a/lib/fdtdec.c b/lib/fdtdec.c index 4defb902b87..adc9975c361 100644 --- a/lib/fdtdec.c +++ b/lib/fdtdec.c @@ -1014,7 +1014,7 @@ int fdt_get_named_resource(const void *fdt, int node, const char *property, { int index; - index = fdt_find_string(fdt, node, prop_names, name); + index = fdt_stringlist_search(fdt, node, prop_names, name); if (index < 0) return index; diff --git a/lib/libfdt/fdt_ro.c b/lib/libfdt/fdt_ro.c index 005f26736f8..e38aaa4ccf9 100644 --- a/lib/libfdt/fdt_ro.c +++ b/lib/libfdt/fdt_ro.c @@ -538,80 +538,104 @@ int fdt_stringlist_contains(const char *strlist, int listlen, const char *str) return 0; } -int fdt_count_strings(const void *fdt, int node, const char *property) +int fdt_stringlist_count(const void *fdt, int nodeoffset, const char *property) { - int length, i, count = 0; - const char *list; + const char *list, *end; + int length, count = 0; - list = fdt_getprop(fdt, node, property, &length); + list = fdt_getprop(fdt, nodeoffset, property, &length); if (!list) - return length; + return -length; + + end = list + length; + + while (list < end) { + length = strnlen(list, end - list) + 1; - for (i = 0; i < length; i++) { - int len = strlen(list); + /* Abort if the last string isn't properly NUL-terminated. */ + if (list + length > end) + return -FDT_ERR_BADVALUE; - list += len + 1; - i += len; + list += length; count++; } return count; } -int fdt_find_string(const void *fdt, int node, const char *property, - const char *string) +int fdt_stringlist_search(const void *fdt, int nodeoffset, const char *property, + const char *string) { + int length, len, idx = 0; const char *list, *end; - int len, index = 0; - list = fdt_getprop(fdt, node, property, &len); + list = fdt_getprop(fdt, nodeoffset, property, &length); if (!list) - return len; + return -length; - end = list + len; - len = strlen(string); + len = strlen(string) + 1; + end = list + length; while (list < end) { - int l = strlen(list); + length = strnlen(list, end - list) + 1; + + /* Abort if the last string isn't properly NUL-terminated. */ + if (list + length > end) + return -FDT_ERR_BADVALUE; - if (l == len && memcmp(list, string, len) == 0) - return index; + if (length == len && memcmp(list, string, length) == 0) + return idx; - list += l + 1; - index++; + list += length; + idx++; } return -FDT_ERR_NOTFOUND; } -int fdt_get_string_index(const void *fdt, int node, const char *property, - int index, const char **output) +const char *fdt_stringlist_get(const void *fdt, int nodeoffset, + const char *property, int idx, + int *lenp) { - const char *list; - int length, i; + const char *list, *end; + int length; + + list = fdt_getprop(fdt, nodeoffset, property, &length); + if (!list) { + if (lenp) + *lenp = length; - list = fdt_getprop(fdt, node, property, &length); + return NULL; + } - for (i = 0; i < length; i++) { - int len = strlen(list); + end = list + length; - if (index == 0) { - *output = list; - return 0; + while (list < end) { + length = strnlen(list, end - list) + 1; + + /* Abort if the last string isn't properly NUL-terminated. */ + if (list + length > end) { + if (lenp) + *lenp = -FDT_ERR_BADVALUE; + + return NULL; + } + + if (idx == 0) { + if (lenp) + *lenp = length - 1; + + return list; } - list += len + 1; - i += len; - index--; + list += length; + idx--; } - return -FDT_ERR_NOTFOUND; -} + if (lenp) + *lenp = -FDT_ERR_NOTFOUND; -int fdt_get_string(const void *fdt, int node, const char *property, - const char **output) -{ - return fdt_get_string_index(fdt, node, property, 0, output); + return NULL; } int fdt_node_check_compatible(const void *fdt, int nodeoffset, -- cgit v1.2.3 From df87e6b1b815ae3484ea2aa7c53b90af382eae1b Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Sun, 2 Oct 2016 17:59:29 -0600 Subject: libfdt: Sync fdt_for_each_subnode() with upstream The signature for this macro has changed. Bring in the upstream version and adjust U-Boot's usages to suit. Signed-off-by: Simon Glass Update to drivers/power/pmic/palmas.c: Signed-off-by: Keerthy Change-Id: I6cc9021339bfe686f9df21d61a1095ca2b3776e8 --- lib/fdtdec.c | 2 +- lib/libfdt/fdt_overlay.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/fdtdec.c b/lib/fdtdec.c index adc9975c361..4e619c49a2f 100644 --- a/lib/fdtdec.c +++ b/lib/fdtdec.c @@ -836,7 +836,7 @@ int fdtdec_get_child_count(const void *blob, int node) int subnode; int num = 0; - fdt_for_each_subnode(blob, subnode, node) + fdt_for_each_subnode(subnode, blob, node) num++; return num; diff --git a/lib/libfdt/fdt_overlay.c b/lib/libfdt/fdt_overlay.c index 40b6d274558..d35ceacbf00 100644 --- a/lib/libfdt/fdt_overlay.c +++ b/lib/libfdt/fdt_overlay.c @@ -146,7 +146,7 @@ static int overlay_adjust_node_phandles(void *fdto, int node, if (!found && !ret) return ret; - fdt_for_each_subnode(fdto, child, node) + fdt_for_each_subnode(child, fdto, node) overlay_adjust_node_phandles(fdto, child, delta); return 0; @@ -248,7 +248,7 @@ static int overlay_update_local_node_references(void *fdto, } } - fdt_for_each_subnode(fdto, fixup_child, fixup_node) { + fdt_for_each_subnode(fixup_child, fdto, fixup_node) { const char *fixup_child_name = fdt_get_name(fdto, fixup_child, NULL); int tree_child; @@ -511,7 +511,7 @@ static int overlay_apply_node(void *fdt, int target, return ret; } - fdt_for_each_subnode(fdto, node, fragment) { + fdt_for_each_subnode(node, fdto, fragment) { const char *name = fdt_get_name(fdto, node, NULL); int nnode; int ret; @@ -550,7 +550,7 @@ static int overlay_merge(void *dt, void *dto) { int fragment; - fdt_for_each_subnode(dto, fragment, 0) { + fdt_for_each_subnode(fragment, dto, 0) { int overlay; int target; int ret; -- cgit v1.2.3 From 42b7600d62ae288a8c12431d232b89b26ec61721 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Sun, 2 Oct 2016 17:59:30 -0600 Subject: libfdt: Drop inlining of fdt_path_offset() The fdt_path_offset() function is not inlined in upstream libfdt. Adjust U-Boot's version to match. Signed-off-by: Simon Glass --- lib/libfdt/fdt_ro.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib') diff --git a/lib/libfdt/fdt_ro.c b/lib/libfdt/fdt_ro.c index e38aaa4ccf9..7e894b742b4 100644 --- a/lib/libfdt/fdt_ro.c +++ b/lib/libfdt/fdt_ro.c @@ -204,6 +204,11 @@ int fdt_path_offset_namelen(const void *fdt, const char *path, int namelen) return offset; } +int fdt_path_offset(const void *fdt, const char *path) +{ + return fdt_path_offset_namelen(fdt, path, strlen(path)); +} + const char *fdt_get_name(const void *fdt, int nodeoffset, int *len) { const struct fdt_node_header *nh = _fdt_offset_ptr(fdt, nodeoffset); -- cgit v1.2.3