On 1/27/26 5:38 PM, Tom Rini wrote:
No, the check in fdt_getprop is only for the name, not the value (which
could be arbitrary binary data including many nul bytes).
I think the assumption in most of U-Boot is that the provided FDT is
trusted (or at least not maliciously ill-formed). functions like
image_get_checksum_algo read up to 6 bytes beyond full_name if full_name
== "". It's possible to read off the end of the DTB if this is the very
last string in the strings block and there is no trailing padding. If
we're really concerned about this (e.g. to avoid false-positives with
ASAN), then we should just add (say) 16 bytes to the end of every DTB
when we malloc it.
Yes, we rely on the sanity checking in libfdt, which I think the kernel
also does.
And no, I'm not sure if we care enough about all of these corner cases,
but if we do then I'm not sure this right here and now is where to
start. It should start with upstream libfdt to see whatever cases aren't
handled, and then what cases fall on the callers to deal with wrt
security implications.
Because I really, really, really, do not want to block fixing booting on
some large number of boards because now we're going to depend first on a
security audit here.
So back to my and Sean suggestion:
fdt_string_eq_() does effectively memcmp():
return p && (slen == len) && (memcmp(p, s, len) == 0);
So do this and be done with it ?
type = fdt_getprop(fdt, node, FIT_TYPE_PROP, &len);
if (type && len == strlen(FIT_TYPE_PROP) && !memcmp(type, "flat_dt", len))
align_size = 8;
