libfdt: fix undefined behaviour in fdt_offset_ptr()

Upstream commit d0b3ab0a0f46 ("libfdt: Fix undefined behaviour in fdt_offset_ptr()"). Using pointer arithmetic to generate a pointer outside a known object is, technically, undefined behaviour in C. Unfortunately, we were using that in fdt_offset_ptr() to detect overflows. To fix this we need to do our bounds / overflow checking on the offsets before constructing pointers from them. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Fixes: #1967 Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
OP-TEE · Nov 23, 2017 · a0ffc59 · a0ffc59
1 parent 2f47d83
commit a0ffc59
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/core/lib/libfdt/fdt.c b/core/lib/libfdt/fdt.c
@@ -76,18 +76,19 @@ int fdt_check_header(const void *fdt)
 
 const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
 {
-	const char *p;
+	unsigned absoffset = offset + fdt_off_dt_struct(fdt);
+
+	if ((absoffset < offset)
+	    || ((absoffset + len) < absoffset)
+	    || (absoffset + len) > fdt_totalsize(fdt))
+		return NULL;
 
 	if (fdt_version(fdt) >= 0x11)
 		if (((offset + len) < offset)
 		    || ((offset + len) > fdt_size_dt_struct(fdt)))
 			return NULL;
 
-	p = _fdt_offset_ptr(fdt, offset);
-
-	if (p + len < p)
-		return NULL;
-	return p;
+	return _fdt_offset_ptr(fdt, offset);
 }
 
 uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)