From 8d15a63e84ff62fd31e8278088fa1176f2735eef Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Wed, 28 Jan 2026 12:03:52 +1100
Subject: [PATCH] libfdt: Verify alignment of sub-blocks in dtb
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A dtb is considered malformed if its structural elements (not things within
property values) are not naturally aligned.  This means that the structure
block must be aligned to a 32-bit boundary, the reserve map must be aligned
to  64-bit boundary and the whole thing must be loaded at a 64-bit aligned
address.  We currently verify that lasat condition in fdt_check_header()
but not the other cases.

Reported-by: Owen Sanzas (Ze Sheng) 盛泽 <zesheng@tamu.edu>
Link: https://github.com/dgibson/dtc/issues/178
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 libfdt/fdt.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index 95f644c..56d4dcb 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -110,6 +110,14 @@ int fdt_check_header(const void *fdt)
 		    || (fdt_totalsize(fdt) > INT_MAX))
 			return -FDT_ERR_TRUNCATED;
 
+		/* memrsv block must be 8 byte aligned */
+		if (fdt_off_mem_rsvmap(fdt) % sizeof(uint64_t))
+			return -FDT_ERR_ALIGNMENT;
+
+		/* Structure block must be 4 byte aligned */
+		if (fdt_off_dt_struct(fdt) % FDT_TAGSIZE)
+			return -FDT_ERR_ALIGNMENT;
+
 		/* Bounds check memrsv block */
 		if (!check_off_(hdrsize, fdt_totalsize(fdt),
 				fdt_off_mem_rsvmap(fdt)))