+-- On Fri, 22 Mar 2019, Peter Maydell wrote --+ | This document is specific to aarch64, but the part of | QEMU's device tree code being modified here is | architecture independent. | | Cc'ing David Gibson who will probably know if there is | an architecture-independent limit on DTB size we should | be enforcing, or whether we are better just to have a check | that avoids the overflow.
Thank you for CC'ing David. It seems Agraf did not receive email @suse.de. Current limit defined by FDT_MAX_SIZE is ~1MB. device_tree.c: #define FDT_MAX_SIZE 0x100000 | It's also worth noting in the commit message that this is | not a security problem -- even if the "add 10000 and double" | calculation overflows, the load_image_size() function will | not load more data into the buffer than will fit, so the | behaviour will be to truncate the DTB. True, load_image_size() helps to avoid buffer overflow issue. Proposed check (dt_size > FDT_MAX_SIZE) in this patch is to enforce same size limit as used in create_device_tree() and avoid loading large files and the said integer overflow. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
