From nobody Sun Jun 14 14:30:20 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EDF23A63E1 for ; Sat, 4 Apr 2026 08:51:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775292692; cv=none; b=atBb2FscDKoipJ8eKX1rwML/PPRVQjS/+AuHuXput5cj/DMTkkti1/4kEJVgfzaK7ljKdYz5/IEw52ukYWDtM4IqvdIJ4P827OuX5M1kJ0PgKgJr++5vksk0oQzwYq4KrvWsPfPtvoHFHVHa5M4m6anVJpFT9ihEWupKKVw0OuU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775292692; c=relaxed/simple; bh=T15xk12s6m8O/f20a/ro6dLg8lrzTcBRiJ7F53QvOH4=; h=From:Date:Message-ID:To:Cc:Subject; b=f8Hb1v10jEoviWvuMaI1dFLqLVxnHlf++1sh88fMjCdLIWI11yZjV5JsAN20XP83dG7a+93mS635wKbwpkT+2cB+FPcijkpBFGdBgBJ94xzv5J2/VfGJCJIbbiUL65jk3wYfldkJ2aJvzE19vA40Hlo606UtVI3gsdQ8Xy3bxJg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0005-powerpc-boot.eml (unknown [111.196.245.197]) by APP-05 (Coremail) with SMTP id zQCowAD3hAgH0dBpKbVzDA--.7742S2; Sat, 04 Apr 2026 16:51:19 +0800 (CST) From: Pengpeng Hou Date: Fri, 3 Apr 2026 16:56:36 +0800 Message-ID: <20260404101005.5-powerpc-boot-pengpeng@iscas.ac.cn> To: Madhavan Srinivasan , Michael Ellerman Cc: Nicholas Piggin , "Christophe Leroy (CS GROUP)" , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Subject: [PATCH] powerpc/boot: validate compatible entries before comparing them X-CM-TRANSID: zQCowAD3hAgH0dBpKbVzDA--.7742S2 X-Coremail-Antispam: 1UD129KBjvJXoWruw13CFyDKry7Aw1UKrW7Arb_yoW8JryxpF Z0yF9Fy3yrWw4UAay3KF1rWFyYvwn2kF4Utw4DW34kArnFqFy0gF1jkF1YvrW8WFySg3yS vFWrKw10vF4fWaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvl14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW5JVW7JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwV C2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC 0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUAVWUtwAv7VC2z280aVAFwI0_Jr0_Gr 1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIF xwCY1x0262kKe7AKxVWUAVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJV W8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF 1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6x IIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvE x4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvj DU0xZFpf9x0JUmjgxUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" `dt_is_compatible()` reads a raw `"compatible"` property into `prop_buf` and then immediately calls `strcmp(buf + pos, compat)` on each string-list entry. If the current entry is not NUL-terminated within the returned property length, `strcmp()` reads past the end of the local buffer before the following `strnlen()` has any chance to reject the malformed property. Validate the current entry with `strnlen()` first and only compare bounded, terminated compatible strings. Signed-off-by: Pengpeng Hou --- arch/powerpc/boot/devtree.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/boot/devtree.c b/arch/powerpc/boot/devtree.c index 58fbcfcc98c9..d93822f61831 100644 --- a/arch/powerpc/boot/devtree.c +++ b/arch/powerpc/boot/devtree.c @@ -343,11 +343,16 @@ int dt_is_compatible(void *node, const char *compat) if (len < 0) return 0; =20 - for (pos =3D 0; pos < len; pos++) { + for (pos =3D 0; pos < len; ) { + int entry_len =3D strnlen(&buf[pos], len - pos); + + if (entry_len =3D=3D len - pos) + return 0; + if (!strcmp(buf + pos, compat)) return 1; =20 - pos +=3D strnlen(&buf[pos], len - pos); + pos +=3D entry_len + 1; } =20 return 0; --=20 2.50.1 (Apple Git-155)