[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 3/6] xen/dt-overlay: check overlay size before memcmp in tracker lookup

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Michal Orzel <michal.orzel@xxxxxxx>
  • Date: Wed, 15 Apr 2026 13:36:57 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6QvN1netQKCnwaqY6XX9r+J1KJJsy3StwsOiX7PZDs4=; b=h2scQRRc6ycB7EIUbOJVEhsiuhUPkyWmy5Ar5hqYD+BibRv5UH/+LIKwAs8XnWJyvH9q6pq6E9ZbSPk9m/6MMDjDXvt7hXzy0OPJ44rg4zkKZQpO9w9En4gxf8jOZjOB/YrGpQIjHvqlX08AjD4mKyacS4rswmZY2KjKulsoRhwwm9NBnBg9m9ISbTEoiMlqeYgUJopNroSyXiSPNntHtmYaFLhOaDnzztHc7bFn/IX9NcMJHYTjWaP8DOzl3BhVN+przPilphLJe887HnKODEUX5GGfkQl8+sk+yGaMrgVKZ2LnL3y8Q3YMHGGaou52M8DSvJB0f1ME6hAdSPZd4g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YujAX0BwNy/b/M33ko7MdpwKKg7RfYPFyALesCI+WGWFDXMSQ6h2wtpSCmuZMq+UClCqvT28aLYW0835zEH2CxZoXLfDYJHac0JveY7AYO7oSBR+uZWE6oFcviBIyByJYXN3Ofld6r++W3R+xddvrfsyIiWpmWTFl3mP+0cvUhuvmpakQuouVGpCUtuUVK5Su8SbFiN0fmfgOw/zucy7sNLT7+6hR4L/PKHOXuK9ov3mB6nQId2w0dMVyBU+C2X1h9zV/Bo5oA9maBDB+ZenkNJ0IFli+c9zwi8/PLFj8z4yMzG4JH6HrwoHDpK3yiK47U0NoHMnvHsN7sdIisc2FQ==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Cc: Michal Orzel <michal.orzel@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>
  • Delivery-date: Wed, 15 Apr 2026 11:37:31 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
find_track_entry_from_tracker() compares overlay_fdt_size bytes of the
stored overlay against the input without verifying that the stored
overlay is at least that large. If the input is larger, memcmp reads
past the stored allocation. If smaller, a prefix match could falsely
succeed.

Compare fdt_totalsize() of the stored overlay against overlay_fdt_size
first. Both values are validated by check_overlay_fdt() at their
respective entry points, so no additional field in overlay_track is
needed.

Fixes: 7e5c4a8b86f1 ("xen/arm: Implement device tree node removal 
functionalities")
Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
---
 xen/common/device-tree/dt-overlay.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/common/device-tree/dt-overlay.c 
b/xen/common/device-tree/dt-overlay.c
index 3853e6e347fe..0eed1532a10d 100644
--- a/xen/common/device-tree/dt-overlay.c
+++ b/xen/common/device-tree/dt-overlay.c
@@ -379,7 +379,8 @@ find_track_entry_from_tracker(const void *overlay_fdt,
      */
     list_for_each_entry_safe( entry, temp, &overlay_tracker, entry )
     {
-        if ( memcmp(entry->overlay_fdt, overlay_fdt, overlay_fdt_size) == 0 )
+        if ( (fdt_totalsize(entry->overlay_fdt) == overlay_fdt_size) &&
+             !memcmp(entry->overlay_fdt, overlay_fdt, overlay_fdt_size) )
         {
             found_entry = true;
             break;
-- 
2.43.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.