[fdt] Allow for parsing device trees where the length is known in advance

Allow for parsing device trees where an external factor (such as a downloaded image length) determines the maximum length, which must be validated against the length within the device tree header. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-03-28 14:08:18 +00:00 · 2025-03-28 14:08:18 +00:00 · 3860313dd5
parent 2399c79980
commit 3860313dd5
4 changed files with 20 additions and 4 deletions
--- a/src/arch/riscv/prefix/sbiprefix.S
+++ b/src/arch/riscv/prefix/sbiprefix.S
@ -123,6 +123,7 @@ _sbi_start:
 	/* Register device tree */
 	la	a0, sysfdt
 	mv	a1, s1
+	li	a2, -1
 	call	fdt_parse

 	/* Call main program */
--- a/src/core/fdt.c
+++ b/src/core/fdt.c
@ -82,7 +82,7 @@ static int fdt_traverse ( struct fdt *fdt,
 	size_t len;

 	/* Sanity checks */
-	assert ( pos->offset < fdt->len );
+	assert ( pos->offset <= fdt->len );
 	assert ( ( pos->offset & ( FDT_STRUCTURE_ALIGN - 1 ) ) == 0 );

 	/* Clear descriptor */
@ -453,14 +453,28 @@ int fdt_mac ( struct fdt *fdt, unsigned int offset,
 *
 * @v fdt		Device tree
 * @v hdr		Device tree header
+ * @v max_len		Maximum device tree length
 * @ret rc		Return status code
 */
-int fdt_parse ( struct fdt *fdt, const struct fdt_header *hdr ) {
+int fdt_parse ( struct fdt *fdt, const struct fdt_header *hdr,
+		size_t max_len ) {
 	const uint8_t *end;

+	/* Sanity check */
+	if ( sizeof ( fdt ) > max_len ) {
+		DBGC ( fdt, "FDT length %#zx too short for header\n",
+		       max_len );
+		goto err;
+	}
+
 	/* Record device tree location */
 	fdt->hdr = hdr;
 	fdt->len = be32_to_cpu ( hdr->totalsize );
+	if ( fdt->len > max_len ) {
+		DBGC ( fdt, "FDT has invalid length %#zx / %#zx\n",
+		       fdt->len, max_len );
+		goto err;
+	}
 	DBGC ( fdt, "FDT version %d at %p+%#04zx\n",
 	       be32_to_cpu ( hdr->version ), fdt->hdr, fdt->len );

--- a/src/include/ipxe/fdt.h
+++ b/src/include/ipxe/fdt.h
@ -107,6 +107,7 @@ extern int fdt_u64 ( struct fdt *fdt, unsigned int offset, const char *name,
 		     uint64_t *value );
 extern int fdt_mac ( struct fdt *fdt, unsigned int offset,
 		     struct net_device *netdev );
-extern int fdt_parse ( struct fdt *fdt, const struct fdt_header *hdr );
+extern int fdt_parse ( struct fdt *fdt, const struct fdt_header *hdr,
+		       size_t max_len );

 #endif /* _IPXE_FDT_H */
--- a/src/interface/efi/efi_fdt.c
+++ b/src/interface/efi/efi_fdt.c
@ -54,7 +54,7 @@ static void efi_fdt_init ( void ) {
 	DBGC ( &efi_fdt, "EFIFDT configuration table at %p\n", efi_fdt );

 	/* Parse as system device tree */
-	if ( ( rc = fdt_parse ( &sysfdt, efi_fdt ) ) != 0 ) {
+	if ( ( rc = fdt_parse ( &sysfdt, efi_fdt, -1UL ) ) != 0 ) {
 		DBGC ( &efi_fdt, "EFIFDT could not parse: %s\n",
 		       strerror ( rc ) );
 		return;