From patchwork Fri Jul 6 11:37:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 141294 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp3006428ljj; Fri, 6 Jul 2018 04:37:26 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdDZsVfGAJibpLtgJPBUw3KqB9kgueg6XM3s3KQb1wrumfOOVvIKocqZEXQ3rWwyswpgy57 X-Received: by 2002:a65:4348:: with SMTP id k8-v6mr2924715pgq.341.1530877046244; Fri, 06 Jul 2018 04:37:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530877046; cv=none; d=google.com; s=arc-20160816; b=TA7HEHY9nH4raWYsnOsiS5xfRG8222Cf0xRrvrJWezvOY9/Var8r9FbdAWPmIqdu53 QebdLxEF9OSkrlqlrWqV6QkZFUkR200L95WEStn0WBIlBdm8wrHVNfGVrx6PcnKJJ/rx 59ysX+217adRa1tYO+TCTdaaDg5u7JfxunZNnECUuwefud8b7k4CAbOsutFqGXfYaL2i ieCBj939cyrB64UNvAHkwYN5HVBunHDHZAyLPhekwTU3tWqGcFNOIPCcg5Hoe8TDorhf tgZ+ubBLQYg3454UOTzIJc4UpjlS/6fOScMKQbC4uxWrh9rQC91gF7cBKmgJK02y76KD WFTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=hM/vvc6H5lE3/xSKpjOMOFnCytUo5PcnD+Js3rc79zU=; b=Beuk4LtrB53A2f4qEEDTurzS1YI7JpAlCErVhivHkog1TgZrNaxMooQmOYD0uetBpE KSV+APGS2f28D4EZw37CbyaEr3gYGB3k3mH1YuYkcguKVZxc3eCxY3M415WkZvJylG+M VsusZfyEYOIo2q1v405fi5N2MO57Og6NvVR4mtihDmkZJRRmxHQrXK64QNLn4jyItD6t pw0SBWmZDgBdGa8u8zZi7HDkFVt5QvJS5PzlOnTdlyNZgxQVQ/ikBMWd+AJyjwJoL05x wwNTq4pTUVrLSTqsZOvvoKtntS7Dt7CVZXmurmrtU7mP4x+fqpwFAoKUM2PVB1DLxN3u OqzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of devicetree-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=devicetree-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d192-v6si7736491pgc.504.2018.07.06.04.37.26; Fri, 06 Jul 2018 04:37:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of devicetree-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of devicetree-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=devicetree-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932325AbeGFLhY (ORCPT + 5 others); Fri, 6 Jul 2018 07:37:24 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:35110 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753545AbeGFLhV (ORCPT ); Fri, 6 Jul 2018 07:37:21 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 861CF18A; Fri, 6 Jul 2018 04:37:21 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 75D233F5BA; Fri, 6 Jul 2018 04:37:20 -0700 (PDT) From: Mark Rutland To: linux-kernel@vger.kernel.org Cc: Mark Rutland , Rob Herring , Frank Rowand , devicetree@vger.kernel.org Subject: [PATCH] of/fdt: avoid undefined behaviour in populate_properties() Date: Fri, 6 Jul 2018 12:37:15 +0100 Message-Id: <20180706113715.30053-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: devicetree-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: devicetree@vger.kernel.org We unflatten a device tree in two passes: the first calculating the size of the unflattened tree, and the second performing the actual unflattening into a suitably-sized buffer. During the first (dryrun) pass, the memory pool is NULL, and we derive other pointers from this. Mostly these are done though intermediate casts to unsigned long, which prevents the compiler from being able to observe this as undefined behaviour. However, in populate_properties() we derive the pprev pointer from the np pointer, which is NULL if it is the first element allocated from the memory pool. This is detected by UBSAN: -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Reviewed-by: Frank Rowand ================================================================================ UBSAN: Undefined behaviour in drivers/of/fdt.c:190:8 member access within null pointer of type 'struct device_node' CPU: 0 PID: 0 Comm: swapper Not tainted 4.18.0-rc3+ #13 Hardware name: ARM Juno development board (r1) (DT) Call trace: dump_backtrace+0x0/0x458 show_stack+0x20/0x30 dump_stack+0x18c/0x248 ubsan_epilogue+0x18/0x94 handle_null_ptr_deref+0x1d4/0x228 __ubsan_handle_type_mismatch_v1+0x188/0x1e0 unflatten_dt_nodes+0xd40/0x1000 __unflatten_device_tree+0x58/0x248 unflatten_device_tree+0x38/0x4c setup_arch+0x3b0/0xcc4 start_kernel+0xd8/0xb9c ================================================================================ In the dryrun pass we don't actually use the pprev value, so let's only set it when !dryrun, and avoid the undefined behaviour. Signed-off-by: Mark Rutland Cc: Rob Herring Cc: Frank Rowand Cc: devicetree@vger.kernel.org --- drivers/of/fdt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c index 6da20b9688f7..c1d0c348f2b3 100644 --- a/drivers/of/fdt.c +++ b/drivers/of/fdt.c @@ -187,7 +187,9 @@ static void populate_properties(const void *blob, int cur; bool has_name = false; - pprev = &np->properties; + if (!dryrun) + pprev = &np->properties; + for (cur = fdt_first_property_offset(blob, offset); cur >= 0; cur = fdt_next_property_offset(blob, cur)) {