patches/0923-of-overlay-Fix-out-of-bounds-write-in-init_overlay_c.patch - pub/scm/linux/kernel/git/geert/ltsi-kernel - Git at Google

 From e8b167d256e67d6b1f40ca905887c7e26d55ce67 Mon Sep 17 00:00:00 2001
 From: Geert Uytterhoeven <geert+renesas@glider.be>
 Date: Fri, 8 Dec 2017 14:13:02 +0100
 Subject: [PATCH 0923/1795] of: overlay: Fix out-of-bounds write in
  init_overlay_changeset()

 If an overlay has no "__symbols__" node, but it has nodes without
 "__overlay__" subnodes at the end (e.g. a "__fixups__" node), after
 filling in all fragments for nodes with "__overlay__" subnodes,
 "fragment = &fragments[cnt]" will point beyond the end of the allocated
 array.

 Hence writing to "fragment->overlay" will overwrite unallocated memory,
 which may lead to a crash later.

 Fix this by deferring both the assignment to "fragment" and the
 offending write afterwards until we know for sure the node has an
 "__overlay__" subnode, and thus a valid entry in "fragments[]".

 Fixes: 61b4de4e0b384f4a ("of: overlay: minor restructuring")
 Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
 Signed-off-by: Rob Herring <robh@kernel.org>
 (cherry picked from commit 35e691eddca565f475ba69ff84ca0c9db3b3257b)
 Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
 Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
 ---
  drivers/of/overlay.c | 7 ++++---
  1 file changed, 4 insertions(+), 3 deletions(-)

 diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
 index fcce5cdbe229..83bb2edfc65c 100644
 --- a/drivers/of/overlay.c
 +++ b/drivers/of/overlay.c
 @@ -572,9 +572,10 @@ static int init_overlay_changeset(struct overlay_changeset *ovcs,

  	cnt = 0;
  	for_each_child_of_node(tree, node) {
 -		fragment = &fragments[cnt];
 -		fragment->overlay = of_get_child_by_name(node, "__overlay__");
 -		if (fragment->overlay) {
 +		overlay_node = of_get_child_by_name(node, "__overlay__");
 +		if (overlay_node) {
 +			fragment = &fragments[cnt];
 +			fragment->overlay = overlay_node;
  			fragment->target = find_target_node(node);
  			if (!fragment->target) {
  				of_node_put(fragment->overlay);
 --
 2.19.0
	From e8b167d256e67d6b1f40ca905887c7e26d55ce67 Mon Sep 17 00:00:00 2001
	From: Geert Uytterhoeven <geert+renesas@glider.be>
	Date: Fri, 8 Dec 2017 14:13:02 +0100
	Subject: [PATCH 0923/1795] of: overlay: Fix out-of-bounds write in
	init_overlay_changeset()

	If an overlay has no "__symbols__" node, but it has nodes without
	"__overlay__" subnodes at the end (e.g. a "__fixups__" node), after
	filling in all fragments for nodes with "__overlay__" subnodes,
	"fragment = &fragments[cnt]" will point beyond the end of the allocated
	array.

	Hence writing to "fragment->overlay" will overwrite unallocated memory,
	which may lead to a crash later.

	Fix this by deferring both the assignment to "fragment" and the
	offending write afterwards until we know for sure the node has an
	"__overlay__" subnode, and thus a valid entry in "fragments[]".

	Fixes: 61b4de4e0b384f4a ("of: overlay: minor restructuring")
	Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
	Signed-off-by: Rob Herring <robh@kernel.org>
	(cherry picked from commit 35e691eddca565f475ba69ff84ca0c9db3b3257b)
	Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
	Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
	---
	drivers/of/overlay.c \| 7 ++++---
	1 file changed, 4 insertions(+), 3 deletions(-)

	diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
	index fcce5cdbe229..83bb2edfc65c 100644
	--- a/drivers/of/overlay.c
	+++ b/drivers/of/overlay.c
	@@ -572,9 +572,10 @@ static int init_overlay_changeset(struct overlay_changeset *ovcs,

	cnt = 0;
	for_each_child_of_node(tree, node) {
	- fragment = &fragments[cnt];
	- fragment->overlay = of_get_child_by_name(node, "__overlay__");
	- if (fragment->overlay) {
	+ overlay_node = of_get_child_by_name(node, "__overlay__");
	+ if (overlay_node) {
	+ fragment = &fragments[cnt];
	+ fragment->overlay = overlay_node;
	fragment->target = find_target_node(node);
	if (!fragment->target) {
	of_node_put(fragment->overlay);
	--
	2.19.0