jcs.org / u-boot
"Das U-Boot" Source Tree
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

boot: fit: validate FDT/DTO payload before fdt_open_into()

boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
base FDT and overlay DTO blobs loaded from a FIT image.

Those blobs come from FIT payload data. In the overlay path,
fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
header check in fit_image_load() is skipped. This leaves fdt_open_into()
to consume header-derived offsets/sizes from unvalidated input.

Validate the full blob against the payload length first with
fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).

Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT copies")
Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>

authored by

James Hilliard and committed by
Tom Rini 0b293946 26048cdb

+8
+8
boot/image-fit.c
··· 2390 2390 fdtsrcbuf = tmp; 2391 2391 } 2392 2392 2393 + /* 2394 + * Source data comes from FIT payload. Validate the blob against 2395 + * payload length before fdt_open_into() trusts header offsets/sizes. 2396 + */ 2397 + err = fdt_check_full(fdtsrcbuf, srclen); 2398 + if (err < 0) 2399 + goto out; 2400 + 2393 2401 newdstlen = ALIGN(fdt_totalsize(fdtsrcbuf) + extra, SZ_4K); 2394 2402 min_dstlen = ALIGN(min_dstlen, SZ_4K); 2395 2403 if (newdstlen < min_dstlen)