tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ARM: xen: validate hypervisor compatible before parsing its version

fdt_find_hyper_node() reads the raw compatible property and then derives
hyper_node.version from a prefix match before later printing it with %s.
Flat DT properties are external boot input, and this path does not prove
that the first compatible entry is NUL-terminated within the returned
property length.

Keep the existing flat-DT lookup path, but verify that the first
compatible entry terminates within the returned property length before
deriving the version suffix from it.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20260405094005.5-arm-xen-v2-pengpeng@iscas.ac.cn>

authored by

Pengpeng Hou and committed by
Juergen Gross f45ab277 591cd656

+6 -4
+6 -4
arch/arm/xen/enlighten.c
··· 218 218 static int __init fdt_find_hyper_node(unsigned long node, const char *uname, 219 219 int depth, void *data) 220 220 { 221 - const void *s = NULL; 221 + const char *s = NULL; 222 222 int len; 223 + size_t prefix_len = strlen(hyper_node.prefix); 223 224 224 225 if (depth != 1 || strcmp(uname, "hypervisor") != 0) 225 226 return 0; ··· 229 228 hyper_node.found = true; 230 229 231 230 s = of_get_flat_dt_prop(node, "compatible", &len); 232 - if (strlen(hyper_node.prefix) + 3 < len && 233 - !strncmp(hyper_node.prefix, s, strlen(hyper_node.prefix))) 234 - hyper_node.version = s + strlen(hyper_node.prefix); 231 + if (s && len > 0 && strnlen(s, len) < len && 232 + len > prefix_len + 3 && 233 + !strncmp(hyper_node.prefix, s, prefix_len)) 234 + hyper_node.version = s + prefix_len; 235 235 236 236 /* 237 237 * Check if Xen supports EFI by checking whether there is the