Skip to content

Commit 35e691e

Browse files
geerturobherring
geertu
authored and
robherring
committed
of: overlay: Fix out-of-bounds write in init_overlay_changeset()
If an overlay has no "__symbols__" node, but it has nodes without "__overlay__" subnodes at the end (e.g. a "__fixups__" node), after filling in all fragments for nodes with "__overlay__" subnodes, "fragment = &fragments[cnt]" will point beyond the end of the allocated array. Hence writing to "fragment->overlay" will overwrite unallocated memory, which may lead to a crash later. Fix this by deferring both the assignment to "fragment" and the offending write afterwards until we know for sure the node has an "__overlay__" subnode, and thus a valid entry in "fragments[]". Fixes: 61b4de4 ("of: overlay: minor restructuring") Signed-off-by: Geert Uytterhoeven <[email protected]> Signed-off-by: Rob Herring <[email protected]>
1 parent 5e47481 commit 35e691e

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

drivers/of/overlay.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -572,9 +572,10 @@ static int init_overlay_changeset(struct overlay_changeset *ovcs,
572572

573573
cnt = 0;
574574
for_each_child_of_node(tree, node) {
575-
fragment = &fragments[cnt];
576-
fragment->overlay = of_get_child_by_name(node, "__overlay__");
577-
if (fragment->overlay) {
575+
overlay_node = of_get_child_by_name(node, "__overlay__");
576+
if (overlay_node) {
577+
fragment = &fragments[cnt];
578+
fragment->overlay = overlay_node;
578579
fragment->target = find_target_node(node);
579580
if (!fragment->target) {
580581
of_node_put(fragment->overlay);

0 commit comments

Comments
 (0)