From nobody Sun Jun 14 12:42:18 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 388323264E7 for ; Fri, 3 Apr 2026 01:30:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775179839; cv=none; b=V6Tez4MtkW3D6ovH7h/8mWIREVdoPY9583o3hhVTZ7+I7wfpoZHa0vF6iQs8xfCd42zA4L4L/qWjUoqJ2b0bKp18G9D/tisMpm+M/QWC+9iSN2XNxV96/tS4O4ZYNuaJrlIk2d0W45T3GbM0ATOz3cfJhuE2fTQ5WLULzUT3qAE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775179839; c=relaxed/simple; bh=CGALeFKRfz2Wp7BBKNnZTsYpE2q6jCg8F+nRQNTJxPI=; h=To:Cc:From:Date:Subject:Message-Id; b=W8s8iuJeb5TDRMbfjt9mf3td11dquYya7a4m5h71xGhUHTPx8PN4izYYuH8xR8e4O/QrF+FjhUv76BuSCILqZSfmv21Xi9kEZAqKpwCLLFCJZ7fGFQUi9XumPpm2Ny8GVqLOwbhnyh+64QtRZhs+Aw6WOc87sh+5sgYrBfcdzNU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from dt-fdt-0002.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowAA33mksGM9p7x0HDA--.1573S2; Fri, 03 Apr 2026 09:30:21 +0800 (CST) To: Paul Walmsley , Palmer Dabbelt , Albert Ou Cc: Alexandre Ghiti , Nutty Liu , Junhui Liu , linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn From: Pengpeng Hou Date: Fri, 3 Apr 2026 08:47:58 +0800 Subject: [PATCH] riscv: pi: validate early FDT string properties before string use X-CM-TRANSID: qwCowAA33mksGM9p7x0HDA--.1573S2 Message-Id: <69CF182D.10A8E5.26415@cstnet.cn> X-Coremail-Antispam: 1UD129KBjvJXoW7KF13AF4xGFW8uFy7tF43Wrg_yoW8tw4kpF ZxGw45AFW8Ar4rJa909r1xuw15Wrs3trW7t34vyw48Aa1DtrW5Zr43Ka4a9r1FkrW8W34Y kF4rX34DCFWUCFJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvv14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j 6r4UJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Cr 1j6rxdM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj 6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr 0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4kE64xI4xA0e2IEY21l c7CjxVAaw2AFwI0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr 1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE 14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7 IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E 87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73Uj IFyTuYvjfU8g4SDUUUU X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The early RISC-V FDT parser reads status, riscv,isa, and mmu-type directly from the DTB and then passes them to strcmp() or isa_string_contains(), which in turn uses strlen() and other C string helpers. DT string properties come from external firmware input and are not locally proven to be NUL-terminated within the property bounds. Use fdt_stringlist_get() before treating these properties as C strings so malformed unterminated properties are rejected instead of being read past their declared length. Signed-off-by: Pengpeng Hou --- arch/riscv/kernel/pi/fdt_early.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/arch/riscv/kernel/pi/fdt_early.c b/arch/riscv/kernel/pi/fdt_ea= rly.c index a12ff8090f19..a44afd460d70 100644 --- a/arch/riscv/kernel/pi/fdt_early.c +++ b/arch/riscv/kernel/pi/fdt_early.c @@ -38,16 +38,13 @@ u64 get_kaslr_seed(uintptr_t dtb_pa) static bool fdt_device_is_available(const void *fdt, int node) { const char *status; - int statlen; =20 - status =3D fdt_getprop(fdt, node, "status", &statlen); + status =3D fdt_stringlist_get(fdt, node, "status", 0, NULL); if (!status) return true; =20 - if (statlen > 0) { - if (!strcmp(status, "okay") || !strcmp(status, "ok")) - return true; - } + if (!strcmp(status, "okay") || !strcmp(status, "ok")) + return true; =20 return false; } @@ -137,14 +134,14 @@ static bool isa_string_contains(const char *isa_str, = const char *ext_name) */ static bool early_cpu_isa_ext_available(const void *fdt, int node, const c= har *ext_name) { - const void *prop; + const char *prop; int len; =20 prop =3D fdt_getprop(fdt, node, "riscv,isa-extensions", &len); if (prop && fdt_stringlist_contains(prop, len, ext_name)) return true; =20 - prop =3D fdt_getprop(fdt, node, "riscv,isa", &len); + prop =3D fdt_stringlist_get(fdt, node, "riscv,isa", 0, &len); if (prop && isa_string_contains(prop, ext_name)) return true; =20 @@ -210,7 +207,7 @@ u64 set_satp_mode_from_fdt(uintptr_t dtb_pa) if (!fdt_device_is_available(fdt, node)) continue; =20 - mmu_type =3D fdt_getprop(fdt, node, "mmu-type", NULL); + mmu_type =3D fdt_stringlist_get(fdt, node, "mmu-type", 0, NULL); if (!mmu_type) break; =20 --=20 2.50.1 (Apple Git-155)