[PATCH master 1/4] FIT: fix potential uninitialized read during fuzzing

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

* [PATCH master 1/4] FIT: fix potential uninitialized read during fuzzing
@ 2026-02-16  8:41 Ahmad Fatoum
  2026-02-16  8:41 ` [PATCH master 2/4] FIT: fix potential underflow of stack array Ahmad Fatoum
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Ahmad Fatoum @ 2026-02-16  8:41 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum, Claude Opus 4.6

fit_find_last_unit should return -ENOENT when conf_node is NULL
instead of returning 0 without writing *out_unit, as that left
the caller's unit variable uninitialized.

Reported-by: GCC 14.2 -fanalyzer
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/image-fit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index 26bd8e265b25..104a01b73658 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -860,7 +860,7 @@ static int fit_find_last_unit(struct fit_handle *handle,
 	const char *unit = NULL;
 
 	if (!conf_node)
-		return 0;
+		return -ENOENT;
 
 	for_each_child_of_node(conf_node, child)
 		unit = child->name;
-- 
2.47.3




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH master 2/4] FIT: fix potential underflow of stack array
  2026-02-16  8:41 [PATCH master 1/4] FIT: fix potential uninitialized read during fuzzing Ahmad Fatoum
@ 2026-02-16  8:41 ` Ahmad Fatoum
  2026-02-16  8:41 ` [PATCH master 3/4] of: fdt: fix double free in fdt_ensure_space Ahmad Fatoum
  2026-02-16  8:41 ` [PATCH master 4/4] of: overlay: initialize ret to fix garbage return value Ahmad Fatoum
  2 siblings, 0 replies; 4+ messages in thread
From: Ahmad Fatoum @ 2026-02-16  8:41 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum, Claude Opus 4.6

Add a bounds check on depth before decrementing to prevent
stack underflow when a malformed FDT has END_NODE before BEGIN_NODE.

Reported-by: clang-analyzer 19.1.7
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/image-fit.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/common/image-fit.c b/common/image-fit.c
index 104a01b73658..a5d0a189f27c 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -153,6 +153,8 @@ static int fit_digest(struct fit_handle *handle, struct digest *digest,
 		case FDT_END_NODE:
 			dt_struct = dt_struct_advance(&f, dt_struct, FDT_TAGSIZE);
 
+			if (depth < 0)
+				return -ESPIPE;
 			include = want;
 			want = stack[depth--];
 			while (end > path && *--end != '/')
-- 
2.47.3




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH master 3/4] of: fdt: fix double free in fdt_ensure_space
  2026-02-16  8:41 [PATCH master 1/4] FIT: fix potential uninitialized read during fuzzing Ahmad Fatoum
  2026-02-16  8:41 ` [PATCH master 2/4] FIT: fix potential underflow of stack array Ahmad Fatoum
@ 2026-02-16  8:41 ` Ahmad Fatoum
  2026-02-16  8:41 ` [PATCH master 4/4] of: overlay: initialize ret to fix garbage return value Ahmad Fatoum
  2 siblings, 0 replies; 4+ messages in thread
From: Ahmad Fatoum @ 2026-02-16  8:41 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum, Claude Opus 4.6

fdt_ensure_space() frees the original buffer on memalign_realloc()
failure, but on error, the buffer is already freed by
memalign_realloc() unlike realloc().

Fix this by aligning memalign_realloc() behavior with normal realloc()
and adapting callers accordingly.

Fixes: dd36494ae2 ("of: fdt: fix memory leak in fdt_ensure_space")
Reported-by: GCC 14.2 -fanalyzer
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/of/fdt.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index ea763cf7a52a..658718d4e238 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -421,10 +421,8 @@ static void *memalign_realloc(void *orig, size_t oldsize, size_t newsize)
 		return memalign(align, newsize);
 
 	newbuf = memalign(align, newsize);
-	if (!newbuf) {
-		free(orig);
+	if (!newbuf)
 		return NULL;
-	}
 
 	memcpy(newbuf, orig, oldsize);
 	free(orig);
@@ -606,10 +604,13 @@ void *of_flatten_dtb(struct device_node *node)
 	header.size_dt_strings = cpu_to_fdt32(fdt.str_nextofs);
 
 	if (fdt.dt_size - fdt.dt_nextofs < fdt.str_nextofs) {
-		fdt.dt = memalign_realloc(fdt.dt, fdt.dt_size,
+		void *newmem;
+
+		newmem = memalign_realloc(fdt.dt, fdt.dt_size,
 				fdt.dt_nextofs + fdt.str_nextofs);
-		if (!fdt.dt)
+		if (!newmem)
 			goto out_free;
+		fdt.dt = newmem;
 	}
 
 	memcpy(fdt.dt + fdt.dt_nextofs, fdt.strings, fdt.str_nextofs);
-- 
2.47.3




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH master 4/4] of: overlay: initialize ret to fix garbage return value
  2026-02-16  8:41 [PATCH master 1/4] FIT: fix potential uninitialized read during fuzzing Ahmad Fatoum
  2026-02-16  8:41 ` [PATCH master 2/4] FIT: fix potential underflow of stack array Ahmad Fatoum
  2026-02-16  8:41 ` [PATCH master 3/4] of: fdt: fix double free in fdt_ensure_space Ahmad Fatoum
@ 2026-02-16  8:41 ` Ahmad Fatoum
  2 siblings, 0 replies; 4+ messages in thread
From: Ahmad Fatoum @ 2026-02-16  8:41 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum, Claude Opus 4.6

If the FIT image has no valid overlay configuration nodes, the
for_each_child_of_node loop never executes and ret is returned
uninitialized. Initialize it to 0 since having no overlay
configurations to apply is not an error.

Reported-by: GCC 14.2 -fanalyzer
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/of/overlay.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
index d2cf2fa3f371..f0c3c783dd58 100644
--- a/drivers/of/overlay.c
+++ b/drivers/of/overlay.c
@@ -537,7 +537,7 @@ static int of_overlay_global_fixup_fit(struct device_node *root,
 	enum bootm_verify verify = bootm_get_verify_mode();
 	struct device_node *conf_node;
 	struct fit_handle *fit;
-	int ret;
+	int ret = 0;
 
 	if (!IS_ENABLED(CONFIG_FITIMAGE)) {
 		pr_err("FIT based overlay handling requested while CONFIG_FITIMAGE=n\n");
-- 
2.47.3




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-02-16  8:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-16  8:41 [PATCH master 1/4] FIT: fix potential uninitialized read during fuzzing Ahmad Fatoum
2026-02-16  8:41 ` [PATCH master 2/4] FIT: fix potential underflow of stack array Ahmad Fatoum
2026-02-16  8:41 ` [PATCH master 3/4] of: fdt: fix double free in fdt_ensure_space Ahmad Fatoum
2026-02-16  8:41 ` [PATCH master 4/4] of: overlay: initialize ret to fix garbage return value Ahmad Fatoum

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox