From 7941b7ebcf2f4e1b60a73516e582d0708a0c4f2c Mon Sep 17 00:00:00 2001 From: Konrad Beckmann Date: Wed, 7 Nov 2018 14:51:46 -0500 Subject: [PATCH] fdt_region: Ensure that depth never goes below -1 A specially crafted FIT image makes it possible to overflow the stack with controlled values when using the verified boot feature. Depending on the memory layout, this could be used to overwrite configuration variables on the heap and setting them to 0, e.g. disable signature verification, thus bypassing it. This change fixes a bug in fdt_find_regions where the fdt structure is parsed. A lower value than -1 of depth can lead to a buffer underflow write on the stack. Signed-off-by: Konrad Beckmann Reviewed-by: Simon Glass --- lib/libfdt/fdt_region.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/libfdt/fdt_region.c b/lib/libfdt/fdt_region.c index d3b9a60e99..7e9fa9272e 100644 --- a/lib/libfdt/fdt_region.c +++ b/lib/libfdt/fdt_region.c @@ -96,6 +96,9 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, break; case FDT_END_NODE: + /* Depth must never go below -1 */ + if (depth < 0) + return -FDT_ERR_BADSTRUCTURE; include = want; want = stack[depth--]; while (end > path && *--end != '/') -- 2.39.5