[PATCH] powerpc/boot: validate compatible entries before comparing them

Next message: Willy Tarreau: "Re: [PATCH 2/3] selftests/nolibc: test the memory allocator"
Previous message: Krishna Chaitanya Chundru: "[PATCH 1/2] PCI: Add pcie_link_is_active() to determine if the link is active"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Apr 04 2026 - 04:53:53 EST

`dt_is_compatible()` reads a raw `"compatible"` property into `prop_buf`
and then immediately calls `strcmp(buf + pos, compat)` on each string-list
entry.

If the current entry is not NUL-terminated within the returned property
length, `strcmp()` reads past the end of the local buffer before the
following `strnlen()` has any chance to reject the malformed property.

Validate the current entry with `strnlen()` first and only compare
bounded, terminated compatible strings.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/powerpc/boot/devtree.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/boot/devtree.c b/arch/powerpc/boot/devtree.c
index 58fbcfcc98c9..d93822f61831 100644
--- a/arch/powerpc/boot/devtree.c
+++ b/arch/powerpc/boot/devtree.c
@@ -343,11 +343,16 @@ int dt_is_compatible(void *node, const char *compat)
if (len < 0)
return 0;

- for (pos = 0; pos < len; pos++) {
+ for (pos = 0; pos < len; ) {
+ int entry_len = strnlen(&buf[pos], len - pos);
+
+ if (entry_len == len - pos)
+ return 0;
+
if (!strcmp(buf + pos, compat))
return 1;

- pos += strnlen(&buf[pos], len - pos);
+ pos += entry_len + 1;
}

return 0;
--
2.50.1 (Apple Git-155)