Context Navigation

fdt_rw.c @ b41cd6c

Last change on this file since b41cd6c was b41cd6c, checked in by Courtney Cavin <courtney.cavin@…>, on 12/02/15 at 00:43:10

libfdt: check for potential overrun in _fdt_splice()

This patch catches the conditions where:

'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow

Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.

Signed-off-by: Courtney Cavin <courtney.cavin@…>
Signed-off-by: Bjorn Andersson <bjorn.andersson@…>

Property mode set to 100644

File size: 12.8 KB

Line
1	/*
2	* libfdt - Flat Device Tree manipulation
3	* Copyright (C) 2006 David Gibson, IBM Corporation.
4	*
5	* libfdt is dual licensed: you can use it either under the terms of
6	* the GPL, or the BSD license, at your option.
7	*
8	* a) This library is free software; you can redistribute it and/or
9	* modify it under the terms of the GNU General Public License as
10	* published by the Free Software Foundation; either version 2 of the
11	* License, or (at your option) any later version.
12	*
13	* This library is distributed in the hope that it will be useful,
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	* GNU General Public License for more details.
17	*
18	* You should have received a copy of the GNU General Public
19	* License along with this library; if not, write to the Free
20	* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
21	* MA 02110-1301 USA
22	*
23	* Alternatively,
24	*
25	* b) Redistribution and use in source and binary forms, with or
26	* without modification, are permitted provided that the following
27	* conditions are met:
28	*
29	* 1. Redistributions of source code must retain the above
30	* copyright notice, this list of conditions and the following
31	* disclaimer.
32	* 2. Redistributions in binary form must reproduce the above
33	* copyright notice, this list of conditions and the following
34	* disclaimer in the documentation and/or other materials
35	* provided with the distribution.
36	*
37	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
38	* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
39	* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
40	* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
41	* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
42	* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
47	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
48	* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
49	* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
50	*/
51	#include "libfdt_env.h"
52
53	#include <fdt.h>
54	#include <libfdt.h>
55
56	#include "libfdt_internal.h"
57
58	static int _fdt_blocks_misordered(const void *fdt,
59	int mem_rsv_size, int struct_size)
60	{
61	return (fdt_off_mem_rsvmap(fdt) < FDT_ALIGN(sizeof(struct fdt_header), 8))
62	\|\| (fdt_off_dt_struct(fdt) <
63	(fdt_off_mem_rsvmap(fdt) + mem_rsv_size))
64	\|\| (fdt_off_dt_strings(fdt) <
65	(fdt_off_dt_struct(fdt) + struct_size))
66	\|\| (fdt_totalsize(fdt) <
67	(fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt)));
68	}
69
70	static int _fdt_rw_check_header(void *fdt)
71	{
72	FDT_CHECK_HEADER(fdt);
73
74	if (fdt_version(fdt) < 17)
75	return -FDT_ERR_BADVERSION;
76	if (_fdt_blocks_misordered(fdt, sizeof(struct fdt_reserve_entry),
77	fdt_size_dt_struct(fdt)))
78	return -FDT_ERR_BADLAYOUT;
79	if (fdt_version(fdt) > 17)
80	fdt_set_version(fdt, 17);
81
82	return 0;
83	}
84
85	#define FDT_RW_CHECK_HEADER(fdt) \
86	{ \
87	int __err; \
88	if ((__err = _fdt_rw_check_header(fdt)) != 0) \
89	return __err; \
90	}
91
92	static inline int _fdt_data_size(void *fdt)
93	{
94	return fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt);
95	}
96
97	static int _fdt_splice(void fdt, void splicepoint, int oldlen, int newlen)
98	{
99	char *p = splicepoint;
100	char end = (char )fdt + _fdt_data_size(fdt);
101
102	if (((p + oldlen) < p) \|\| ((p + oldlen) > end))
103	return -FDT_ERR_BADOFFSET;
104	if ((p < (char )fdt) \|\| ((end - oldlen + newlen) < (char )fdt))
105	return -FDT_ERR_BADOFFSET;
106	if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
107	return -FDT_ERR_NOSPACE;
108	memmove(p + newlen, p + oldlen, end - p - oldlen);
109	return 0;
110	}
111
112	static int _fdt_splice_mem_rsv(void fdt, struct fdt_reserve_entry p,
113	int oldn, int newn)
114	{
115	int delta = (newn - oldn) * sizeof(*p);
116	int err;
117	err = _fdt_splice(fdt, p, oldn * sizeof(p), newn sizeof(*p));
118	if (err)
119	return err;
120	fdt_set_off_dt_struct(fdt, fdt_off_dt_struct(fdt) + delta);
121	fdt_set_off_dt_strings(fdt, fdt_off_dt_strings(fdt) + delta);
122	return 0;
123	}
124
125	static int _fdt_splice_struct(void fdt, void p,
126	int oldlen, int newlen)
127	{
128	int delta = newlen - oldlen;
129	int err;
130
131	if ((err = _fdt_splice(fdt, p, oldlen, newlen)))
132	return err;
133
134	fdt_set_size_dt_struct(fdt, fdt_size_dt_struct(fdt) + delta);
135	fdt_set_off_dt_strings(fdt, fdt_off_dt_strings(fdt) + delta);
136	return 0;
137	}
138
139	static int _fdt_splice_string(void *fdt, int newlen)
140	{
141	void p = (char )fdt
142	+ fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt);
143	int err;
144
145	if ((err = _fdt_splice(fdt, p, 0, newlen)))
146	return err;
147
148	fdt_set_size_dt_strings(fdt, fdt_size_dt_strings(fdt) + newlen);
149	return 0;
150	}
151
152	static int _fdt_find_add_string(void fdt, const char s)
153	{
154	char strtab = (char )fdt + fdt_off_dt_strings(fdt);
155	const char *p;
156	char *new;
157	int len = strlen(s) + 1;
158	int err;
159
160	p = _fdt_find_string(strtab, fdt_size_dt_strings(fdt), s);
161	if (p)
162	/* found it */
163	return (p - strtab);
164
165	new = strtab + fdt_size_dt_strings(fdt);
166	err = _fdt_splice_string(fdt, len);
167	if (err)
168	return err;
169
170	memcpy(new, s, len);
171	return (new - strtab);
172	}
173
174	int fdt_add_mem_rsv(void *fdt, uint64_t address, uint64_t size)
175	{
176	struct fdt_reserve_entry *re;
177	int err;
178
179	FDT_RW_CHECK_HEADER(fdt);
180
181	re = _fdt_mem_rsv_w(fdt, fdt_num_mem_rsv(fdt));
182	err = _fdt_splice_mem_rsv(fdt, re, 0, 1);
183	if (err)
184	return err;
185
186	re->address = cpu_to_fdt64(address);
187	re->size = cpu_to_fdt64(size);
188	return 0;
189	}
190
191	int fdt_del_mem_rsv(void *fdt, int n)
192	{
193	struct fdt_reserve_entry *re = _fdt_mem_rsv_w(fdt, n);
194	int err;
195
196	FDT_RW_CHECK_HEADER(fdt);
197
198	if (n >= fdt_num_mem_rsv(fdt))
199	return -FDT_ERR_NOTFOUND;
200
201	err = _fdt_splice_mem_rsv(fdt, re, 1, 0);
202	if (err)
203	return err;
204	return 0;
205	}
206
207	static int _fdt_resize_property(void fdt, int nodeoffset, const char name,
208	int len, struct fdt_property **prop)
209	{
210	int oldlen;
211	int err;
212
213	*prop = fdt_get_property_w(fdt, nodeoffset, name, &oldlen);
214	if (! (*prop))
215	return oldlen;
216
217	if ((err = _fdt_splice_struct(fdt, (*prop)->data, FDT_TAGALIGN(oldlen),
218	FDT_TAGALIGN(len))))
219	return err;
220
221	(*prop)->len = cpu_to_fdt32(len);
222	return 0;
223	}
224
225	static int _fdt_add_property(void fdt, int nodeoffset, const char name,
226	int len, struct fdt_property **prop)
227	{
228	int proplen;
229	int nextoffset;
230	int namestroff;
231	int err;
232
233	if ((nextoffset = _fdt_check_node_offset(fdt, nodeoffset)) < 0)
234	return nextoffset;
235
236	namestroff = _fdt_find_add_string(fdt, name);
237	if (namestroff < 0)
238	return namestroff;
239
240	*prop = _fdt_offset_ptr_w(fdt, nextoffset);
241	proplen = sizeof(**prop) + FDT_TAGALIGN(len);
242
243	err = _fdt_splice_struct(fdt, *prop, 0, proplen);
244	if (err)
245	return err;
246
247	(*prop)->tag = cpu_to_fdt32(FDT_PROP);
248	(*prop)->nameoff = cpu_to_fdt32(namestroff);
249	(*prop)->len = cpu_to_fdt32(len);
250	return 0;
251	}
252
253	int fdt_set_name(void fdt, int nodeoffset, const char name)
254	{
255	char *namep;
256	int oldlen, newlen;
257	int err;
258
259	FDT_RW_CHECK_HEADER(fdt);
260
261	namep = (char *)(uintptr_t)fdt_get_name(fdt, nodeoffset, &oldlen);
262	if (!namep)
263	return oldlen;
264
265	newlen = strlen(name);
266
267	err = _fdt_splice_struct(fdt, namep, FDT_TAGALIGN(oldlen+1),
268	FDT_TAGALIGN(newlen+1));
269	if (err)
270	return err;
271
272	memcpy(namep, name, newlen+1);
273	return 0;
274	}
275
276	int fdt_setprop(void fdt, int nodeoffset, const char name,
277	const void *val, int len)
278	{
279	struct fdt_property *prop;
280	int err;
281
282	FDT_RW_CHECK_HEADER(fdt);
283
284	err = _fdt_resize_property(fdt, nodeoffset, name, len, &prop);
285	if (err == -FDT_ERR_NOTFOUND)
286	err = _fdt_add_property(fdt, nodeoffset, name, len, &prop);
287	if (err)
288	return err;
289
290	memcpy(prop->data, val, len);
291	return 0;
292	}
293
294	int fdt_appendprop(void fdt, int nodeoffset, const char name,
295	const void *val, int len)
296	{
297	struct fdt_property *prop;
298	int err, oldlen, newlen;
299
300	FDT_RW_CHECK_HEADER(fdt);
301
302	prop = fdt_get_property_w(fdt, nodeoffset, name, &oldlen);
303	if (prop) {
304	newlen = len + oldlen;
305	err = _fdt_splice_struct(fdt, prop->data,
306	FDT_TAGALIGN(oldlen),
307	FDT_TAGALIGN(newlen));
308	if (err)
309	return err;
310	prop->len = cpu_to_fdt32(newlen);
311	memcpy(prop->data + oldlen, val, len);
312	} else {
313	err = _fdt_add_property(fdt, nodeoffset, name, len, &prop);
314	if (err)
315	return err;
316	memcpy(prop->data, val, len);
317	}
318	return 0;
319	}
320
321	int fdt_delprop(void fdt, int nodeoffset, const char name)
322	{
323	struct fdt_property *prop;
324	int len, proplen;
325
326	FDT_RW_CHECK_HEADER(fdt);
327
328	prop = fdt_get_property_w(fdt, nodeoffset, name, &len);
329	if (! prop)
330	return len;
331
332	proplen = sizeof(*prop) + FDT_TAGALIGN(len);
333	return _fdt_splice_struct(fdt, prop, proplen, 0);
334	}
335
336	int fdt_add_subnode_namelen(void *fdt, int parentoffset,
337	const char *name, int namelen)
338	{
339	struct fdt_node_header *nh;
340	int offset, nextoffset;
341	int nodelen;
342	int err;
343	uint32_t tag;
344	fdt32_t *endtag;
345
346	FDT_RW_CHECK_HEADER(fdt);
347
348	offset = fdt_subnode_offset_namelen(fdt, parentoffset, name, namelen);
349	if (offset >= 0)
350	return -FDT_ERR_EXISTS;
351	else if (offset != -FDT_ERR_NOTFOUND)
352	return offset;
353
354	/* Try to place the new node after the parent's properties */
355	fdt_next_tag(fdt, parentoffset, &nextoffset); /* skip the BEGIN_NODE */
356	do {
357	offset = nextoffset;
358	tag = fdt_next_tag(fdt, offset, &nextoffset);
359	} while ((tag == FDT_PROP) \|\| (tag == FDT_NOP));
360
361	nh = _fdt_offset_ptr_w(fdt, offset);
362	nodelen = sizeof(*nh) + FDT_TAGALIGN(namelen+1) + FDT_TAGSIZE;
363
364	err = _fdt_splice_struct(fdt, nh, 0, nodelen);
365	if (err)
366	return err;
367
368	nh->tag = cpu_to_fdt32(FDT_BEGIN_NODE);
369	memset(nh->name, 0, FDT_TAGALIGN(namelen+1));
370	memcpy(nh->name, name, namelen);
371	endtag = (fdt32_t )((char )nh + nodelen - FDT_TAGSIZE);
372	*endtag = cpu_to_fdt32(FDT_END_NODE);
373
374	return offset;
375	}
376
377	int fdt_add_subnode(void fdt, int parentoffset, const char name)
378	{
379	return fdt_add_subnode_namelen(fdt, parentoffset, name, strlen(name));
380	}
381
382	int fdt_del_node(void *fdt, int nodeoffset)
383	{
384	int endoffset;
385
386	FDT_RW_CHECK_HEADER(fdt);
387
388	endoffset = _fdt_node_end_offset(fdt, nodeoffset);
389	if (endoffset < 0)
390	return endoffset;
391
392	return _fdt_splice_struct(fdt, _fdt_offset_ptr_w(fdt, nodeoffset),
393	endoffset - nodeoffset, 0);
394	}
395
396	static void _fdt_packblocks(const char old, char new,
397	int mem_rsv_size, int struct_size)
398	{
399	int mem_rsv_off, struct_off, strings_off;
400
401	mem_rsv_off = FDT_ALIGN(sizeof(struct fdt_header), 8);
402	struct_off = mem_rsv_off + mem_rsv_size;
403	strings_off = struct_off + struct_size;
404
405	memmove(new + mem_rsv_off, old + fdt_off_mem_rsvmap(old), mem_rsv_size);
406	fdt_set_off_mem_rsvmap(new, mem_rsv_off);
407
408	memmove(new + struct_off, old + fdt_off_dt_struct(old), struct_size);
409	fdt_set_off_dt_struct(new, struct_off);
410	fdt_set_size_dt_struct(new, struct_size);
411
412	memmove(new + strings_off, old + fdt_off_dt_strings(old),
413	fdt_size_dt_strings(old));
414	fdt_set_off_dt_strings(new, strings_off);
415	fdt_set_size_dt_strings(new, fdt_size_dt_strings(old));
416	}
417
418	int fdt_open_into(const void fdt, void buf, int bufsize)
419	{
420	int err;
421	int mem_rsv_size, struct_size;
422	int newsize;
423	const char *fdtstart = fdt;
424	const char *fdtend = fdtstart + fdt_totalsize(fdt);
425	char *tmp;
426
427	FDT_CHECK_HEADER(fdt);
428
429	mem_rsv_size = (fdt_num_mem_rsv(fdt)+1)
430	* sizeof(struct fdt_reserve_entry);
431
432	if (fdt_version(fdt) >= 17) {
433	struct_size = fdt_size_dt_struct(fdt);
434	} else {
435	struct_size = 0;
436	while (fdt_next_tag(fdt, struct_size, &struct_size) != FDT_END)
437	;
438	if (struct_size < 0)
439	return struct_size;
440	}
441
442	if (!_fdt_blocks_misordered(fdt, mem_rsv_size, struct_size)) {
443	/* no further work necessary */
444	err = fdt_move(fdt, buf, bufsize);
445	if (err)
446	return err;
447	fdt_set_version(buf, 17);
448	fdt_set_size_dt_struct(buf, struct_size);
449	fdt_set_totalsize(buf, bufsize);
450	return 0;
451	}
452
453	/* Need to reorder */
454	newsize = FDT_ALIGN(sizeof(struct fdt_header), 8) + mem_rsv_size
455	+ struct_size + fdt_size_dt_strings(fdt);
456
457	if (bufsize < newsize)
458	return -FDT_ERR_NOSPACE;
459
460	/* First attempt to build converted tree at beginning of buffer */
461	tmp = buf;
462	/* But if that overlaps with the old tree... */
463	if (((tmp + newsize) > fdtstart) && (tmp < fdtend)) {
464	/* Try right after the old tree instead */
465	tmp = (char *)(uintptr_t)fdtend;
466	if ((tmp + newsize) > ((char *)buf + bufsize))
467	return -FDT_ERR_NOSPACE;
468	}
469
470	_fdt_packblocks(fdt, tmp, mem_rsv_size, struct_size);
471	memmove(buf, tmp, newsize);
472
473	fdt_set_magic(buf, FDT_MAGIC);
474	fdt_set_totalsize(buf, bufsize);
475	fdt_set_version(buf, 17);
476	fdt_set_last_comp_version(buf, 16);
477	fdt_set_boot_cpuid_phys(buf, fdt_boot_cpuid_phys(fdt));
478
479	return 0;
480	}
481
482	int fdt_pack(void *fdt)
483	{
484	int mem_rsv_size;
485
486	FDT_RW_CHECK_HEADER(fdt);
487
488	mem_rsv_size = (fdt_num_mem_rsv(fdt)+1)
489	* sizeof(struct fdt_reserve_entry);
490	_fdt_packblocks(fdt, fdt, mem_rsv_size, fdt_size_dt_struct(fdt));
491	fdt_set_totalsize(fdt, _fdt_data_size(fdt));
492
493	return 0;
494	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: rtems/cpukit/dtc/libfdt/fdt_rw.c @ b41cd6c

Download in other formats: