hi Simon, yes, you are right, I forgot to call this checking function, thanks!
Best regards Jianqiang Simon Glass <s...@chromium.org> 于2024年6月6日周四 17:04写道: > Hi Jianqiang, > > On Wed, 5 Jun 2024 at 07:40, jianqiang wang <wjq....@gmail.com> wrote: > > > > Dear Das U-Boot developers, > > > > I found that the u-boot device tree implementation lacks a check for the > > off_dt_struct field in the device tree. > > > > In file scripts\dtc\libfdt\libfdt_internal.h, fdt_offset_ptr_ returns the > > dt struct address. It calculates the address by adding the header > address, > > fdt offset, and a specified offset. However, the fdt offset is read from > > the device tree and lacks a proper check. The returned pointer can even > > point to any address, leading to arbitrary read or write. > > > > Could you please confirm it is a vulnerability? > > Doesn't fdt_check_header() help here? Where are you calling the code from? > > Regards, > Simon >
