{"id":2231996,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2231996/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260501222801.1596650-1-raymondmaoca@gmail.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.1/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260501222801.1596650-1-raymondmaoca@gmail.com>","date":"2026-05-01T22:28:00","name":"lib: fdtdec: validate bloblist FDT before consuming libfdt size","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"58f4b207ead7ac466c283735af30710a235dec14","submitter":{"id":91989,"url":"http://patchwork.ozlabs.org/api/1.1/people/91989/?format=json","name":"Raymond Mao","email":"raymondmaoca@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260501222801.1596650-1-raymondmaoca@gmail.com/mbox/","series":[{"id":502501,"url":"http://patchwork.ozlabs.org/api/1.1/series/502501/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=502501","date":"2026-05-01T22:28:00","name":"lib: fdtdec: validate bloblist FDT before consuming libfdt size","version":1,"mbox":"http://patchwork.ozlabs.org/series/502501/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231996/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231996/checks/","tags":{},"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=EEWg5dz2;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=gmail.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.b=\"EEWg5dz2\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=gmail.com","phobos.denx.de;\n spf=pass smtp.mailfrom=raymondmaoca@gmail.com"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6m0K48Xhz1yJ0\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 02 May 2026 08:28:33 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 7D9CB840D8;\n\tSat,  2 May 2026 00:28:21 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id D49B4841D7; Sat,  2 May 2026 00:28:19 +0200 (CEST)","from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com\n [IPv6:2607:f8b0:4864:20::72c])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id A8B7C83693\n for <u-boot@lists.denx.de>; Sat,  2 May 2026 00:28:17 +0200 (CEST)","by mail-qk1-x72c.google.com with SMTP id\n af79cd13be357-8cb20bcff5aso216010385a.3\n for <u-boot@lists.denx.de>; Fri, 01 May 2026 15:28:17 -0700 (PDT)","from ubuntu.localdomain (172-97-209-197.cpe.distributel.net.\n [172.97.209.197]) by smtp.gmail.com with ESMTPSA id\n af79cd13be357-8fc2938e7f8sm284458485a.7.2026.05.01.15.28.15\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 01 May 2026 15:28:15 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_GMAIL_RCVD,FREEMAIL_FROM,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=no\n autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777674496; x=1778279296; darn=lists.denx.de;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=vsgyUU/3UNTOHKVozBCl2pFqT4bdD/OJ1Ag1k46uKEQ=;\n b=EEWg5dz2GwmbSVi+Ci3CHzwqJ3653BG3TFqkRDTVjSVB2IpzRTIhKAXtfIsSNHMmMG\n w/OHYBvjMLF8YjV3YgsBbJvxHxX0wHGtrWdJJnbBiH0HAdSKaBtTmIj8wSa6PVqo96+f\n 0wxd1gXrBr3ffcDhh8jAyR3EXPfNr5ZZwP+GYa84HL3ntv1iPTKhaocMx0CBDCpptoxo\n qa13fORNOVo8VBH6ak9heeK+iqfx/cIO74nZE6CnwOEzkeq9AegDdR1g4D4yCkxFuEBI\n 1lfp6RYiWG1u619dJQb8mwkA2k9pnQE2PenH6dLEZN/K4xY7IwHOcBKOw6mPbJtect2K\n H35g==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777674496; x=1778279296;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=vsgyUU/3UNTOHKVozBCl2pFqT4bdD/OJ1Ag1k46uKEQ=;\n b=e6cTHL8eBTvHHIHy03b6zVU2i4B0rVfdONW9ZeAfAs7qEsXBQ4m5yherEtE0+wa238\n ee/NrJMAF2ic1FhZ0OpTw8DAxlBoy+mpuJ0JsAZwlkdn/Pnq8ZOWmU9ZYPGguZNsoYwX\n ytJSpXAexd7L5CZderFY53NAsWw0F9EnOav5WZyEGlQgdkUgKOj2dQAsZ3i+daDGfawT\n F6WUzvTHqtNgb+0gCNMOMOR3WNAa942nkcQgQH90sv2YwQynRyJRG2wlhXEQo5v5nSn8\n GU5iV/HUC7egFIir5oz3WPW0yfSnmMZv5BE/eVoKY4CHnUG/dUEnFz8uvSn5t7PTfxEB\n tW1A==","X-Gm-Message-State":"AOJu0YwHU7O4cxcmDReNw4SHLZ+hjX0YHKEVLBdfw6xi8HhY0HkrSoO/\n wMveXtdNbSDdWcwy2Nr4FdirUhuJ7tdhXlAJ9ye9PfjmCeap2xsSvXNJ2pjjPn2VY98=","X-Gm-Gg":"AeBDiesBI3qdBPiCIxAO70zP8zYtYQWoDNXtRCqAKkOtbVkfMWOE01/LTDKfBhv6biA\n MqyqZsYlgbhwi+nWNMl436rCQNw7GsXzf0AafJBF9+tgfKFsmcjZQsHmw+PKqP4jFKMPfQSjTvY\n OPY5WJ3PIueVFezj184owQROn/iU/ivndIQRB2LOYzELtkXCrc4MNAJKHEQIqEZ91oLmMR+5kM/\n TDfYO6aja822LKOij8xdw09v5Az7BWItZJ+XMjHPyyFKlNVH7vwiwQouCTJXgEduNeJ585VYuM0\n uS7FGfwLOJNc8kn+V01Q0iJrqLTMENTplpxduF+SDmkMoUnGaTHkogHNZALFduKbs0anc3JTGl3\n viqFNTtYGqDuJjW5UWhfXFJmDpPfiHbnVOK81gRnSCkTLaWuxegsGaOI5w0gwahamuA9bKmDBqV\n GbqPlGkni48YkzazpijhbEU9bcGObMPPpyOM2uAEEN/ld1z17CVuQUGlTnhH6nydNaH6mEMH5HH\n 4Bc6kSp4bo4xLQ0TtgWQQ==","X-Received":"by 2002:a05:620a:4891:b0:8da:dc5d:acf5 with SMTP id\n af79cd13be357-8fd155f2791mr219282185a.12.1777674496150;\n Fri, 01 May 2026 15:28:16 -0700 (PDT)","From":"Raymond Mao <raymondmaoca@gmail.com>","To":"u-boot@lists.denx.de","Cc":"Raymond Mao <raymond.mao@riscstar.com>, Simon Glass <sjg@chromium.org>,\n Tom Rini <trini@konsulko.com>,\n Alexander Sverdlin <alexander.sverdlin@siemens.com>,\n Michal Simek <michal.simek@amd.com>, Pranav Sanwal <pranav.sanwal@amd.com>,\n Casey Connolly <casey.connolly@linaro.org>","Subject":"[PATCH] lib: fdtdec: validate bloblist FDT before consuming libfdt\n size","Date":"Fri,  1 May 2026 18:28:00 -0400","Message-Id":"<20260501222801.1596650-1-raymondmaoca@gmail.com>","X-Mailer":"git-send-email 2.25.1","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"From: Raymond Mao <raymond.mao@riscstar.com>\n\nCoverity Scan defects are observed in fdtdec_apply_bloblist_dtos(),\nsince the live FDT taken from the bloblist is passed to libfdt helpers\nwhich consume header size/offset fields:\n- fdt_open_into()\n- fdt_pack()\n- bloblist_resize(..., fdt_totalsize(...))\n\nAdd a small helper to validate the FDT header and confirm that the\nadvertised totalsize fits within the currently allocated bloblist\nrecord. Use the sanitized size before calling fdt_open_into(), again\nafter overlays are applied before calling fdt_pack(), and once more\nafter packing before shrinking the bloblist record.\n\nThis keeps the existing flow unchanged while making the size consumers\noperate on validated FDT metadata.\n\nFixes: b70cbbfbf94f (\"fdtdec: apply DT overlays from bloblist\")\nAddresses-Coverity-ID: CID 645837: (TAINTED_SCALAR)\nSigned-off-by: Raymond Mao <raymond.mao@riscstar.com>\n---\n lib/fdtdec.c | 44 ++++++++++++++++++++++++++++++++++++++++----\n 1 file changed, 40 insertions(+), 4 deletions(-)","diff":"diff --git a/lib/fdtdec.c b/lib/fdtdec.c\nindex c6e13b6abef..edeaf16af51 100644\n--- a/lib/fdtdec.c\n+++ b/lib/fdtdec.c\n@@ -1744,9 +1744,31 @@ static int fdtdec_apply_dto_blob(void **blob, __maybe_unused int size)\n \treturn fdt_overlay_apply_verbose((void *)gd->fdt_blob, *blob);\n }\n \n+static int fdtdec_get_valid_fdt_size(const void *fdt, int alloc_size,\n+\t\t\t\t     int *fdt_sizep)\n+{\n+\tint ret, fdt_size;\n+\n+\t/*\n+\t * Validate the header before libfdt trusts any header offsets/sizes.\n+\t * Also make sure the advertised totalsize fits in the bloblist record.\n+\t */\n+\tret = fdt_check_header(fdt);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tfdt_size = fdt_totalsize(fdt);\n+\tif (fdt_size > alloc_size)\n+\t\treturn -FDT_ERR_TRUNCATED;\n+\n+\t*fdt_sizep = fdt_size;\n+\n+\treturn 0;\n+}\n+\n static int fdtdec_apply_bloblist_dtos(void)\n {\n-\tint ret;\n+\tint ret, live_fdt_size;\n \tstruct fdt_header *live_fdt;\n \tint blob_size;\n \tsize_t padded_size, max_size;\n@@ -1760,8 +1782,12 @@ static int fdtdec_apply_bloblist_dtos(void)\n \tif (live_fdt != gd->fdt_blob)\n \t\treturn -ENOENT;\n \n+\tret = fdtdec_get_valid_fdt_size(live_fdt, blob_size, &live_fdt_size);\n+\tif (ret)\n+\t\treturn ret;\n+\n \t/* Calculate the allowed padded size */\n-\tpadded_size = fdt_totalsize(live_fdt) + CONFIG_SYS_FDT_PAD;\n+\tpadded_size = live_fdt_size + CONFIG_SYS_FDT_PAD;\n \tmax_size = bloblist_get_total_size() - bloblist_get_size() + blob_size;\n \tif (padded_size > max_size)\n \t\tpadded_size = max_size;\n@@ -1772,6 +1798,7 @@ static int fdtdec_apply_bloblist_dtos(void)\n \t\tif (ret)\n \t\t\treturn ret;\n \n+\t\tblob_size = padded_size;\n \t\tret = fdt_open_into(live_fdt, live_fdt, padded_size);\n \t\tif (ret)\n \t\t\treturn ret;\n@@ -1781,9 +1808,18 @@ static int fdtdec_apply_bloblist_dtos(void)\n \tif (ret)\n \t\treturn ret;\n \n-\t/* Shink the blob to the actual FDT size */\n+\tret = fdtdec_get_valid_fdt_size(live_fdt, blob_size, &live_fdt_size);\n+\tif (ret)\n+\t\treturn ret;\n+\n \tfdt_pack(live_fdt);\n-\treturn bloblist_resize(BLOBLISTT_CONTROL_FDT, fdt_totalsize(live_fdt));\n+\n+\tret = fdtdec_get_valid_fdt_size(live_fdt, blob_size, &live_fdt_size);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\t/* Shrink the blob to the actual FDT size */\n+\treturn bloblist_resize(BLOBLISTT_CONTROL_FDT, live_fdt_size);\n }\n \n int fdtdec_setup(void)\n","prefixes":[]}