Re: [Qemu-devel] [PATCH] device_tree: check device tree blob file size

[P J P]

  Hello David,

+-- On Mon, 25 Mar 2019, David Gibson wrote --+
| The only inherent limit to dtb size should be 2^31-1 bytes (the format
| uses signed 32-bit ints as offsets).

  ~2GB of dtb?! Seems quite big to specify the h/w that a kernel is
going to run/boot on.

| Indeed there shouldn't be any architecture (as in instruction set)
| dependent limits either.  There may however be more specific platform
| dependent limits.

  $ find . -name \*.dts -exec ls -shXS --color {} \; | sort -grk1 | less -r

   -> https://paste.fedoraproject.org/paste/~9p-lVWwX7jmngHMQjCBsg

Going through the .dts files in the Linux kernel tree, 64KB appears to top 
the list of file sizes.

IMO, generic 2MB of dtb size limit is reasonable; Considering 64KB is the max 
we are seeing, plus QEMU has FDT_MAX_SIZE defined to be 0x100000(~1MB), and 
noone has complained that it's too small.

| Yeah, you should probably make that hard error rather than truncating.
| If a system works with a truncated tree, it can only be by sheer
| accident.

Yes, current patch would 'goto fail; if (dt_size > FDT_MAX_SIZE)'.


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F