early_init_dt_scan_chosen_stdout() fetches stdout-path and
linux,stdout-path directly from the flat DT and immediately passes the
result to strchrnul(). Flat DT properties are raw firmware-supplied
byte sequences, and this path does not prove that either property is
NUL-terminated within its declared bounds.

Use fdt_stringlist_get() so malformed unterminated stdout-path
properties are rejected before the local parser walks them as C
strings.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/of/fdt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 331646d667b9..3dcd20c2fa73 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -954,9 +954,9 @@ int __init early_init_dt_scan_chosen_stdout(void)
 	if (offset < 0)
 		return -ENOENT;
 
-	p = fdt_getprop(fdt, offset, "stdout-path", &l);
+	p = fdt_stringlist_get(fdt, offset, "stdout-path", 0, &l);
 	if (!p)
-		p = fdt_getprop(fdt, offset, "linux,stdout-path", &l);
+		p = fdt_stringlist_get(fdt, offset, "linux,stdout-path", 0, &l);
 	if (!p || !l)
 		return -ENOENT;
 
-- 
2.50.1 (Apple Git-155)

On Fri, 03 Apr 2026 11:55:29 +0800, Pengpeng Hou wrote:
> early_init_dt_scan_chosen_stdout() fetches stdout-path and
> linux,stdout-path directly from the flat DT and immediately passes the
> result to strchrnul(). Flat DT properties are raw firmware-supplied
> byte sequences, and this path does not prove that either property is
> NUL-terminated within its declared bounds.
> 
> Use fdt_stringlist_get() so malformed unterminated stdout-path
> properties are rejected before the local parser walks them as C
> strings.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  drivers/of/fdt.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 

Applied, thanks!