source: rtems/cpukit/dtc/libfdt/fdt_sw.c @ 80eaf45

Last change on this file since 80eaf45 was 80eaf45, checked in by David Gibson <david@…>, on Jul 9, 2018 at 4:50:38 AM

libfdt: Add necessary header padding in fdt_create()

At present fdt_create() will succeed if there is exactly enough space to
put in the fdt header. However, it sets the off_mem_rsvmap field, a few
bytes past that in order to align the memory reservation block.

Having block pointers pointing past the end of the fdt is pretty ugly, even
if it is just a transient state. Worse, if fdt_resize() is called at
exactly the wrong time, it can end up accessing data past the blob's
allocated space because of this.

So, correct fdt_create() to ensure that there is sufficient space for the
alignment padding as well as the plain header. For paranoia, also add a
check in fdt_resize() to make sure we don't copy data from outside the
blob's bounds.

Signed-off-by: David Gibson <david@…>

  • Property mode set to 100644
File size: 9.1 KB
Line 
1/*
2 * libfdt - Flat Device Tree manipulation
3 * Copyright (C) 2006 David Gibson, IBM Corporation.
4 *
5 * libfdt is dual licensed: you can use it either under the terms of
6 * the GPL, or the BSD license, at your option.
7 *
8 *  a) This library is free software; you can redistribute it and/or
9 *     modify it under the terms of the GNU General Public License as
10 *     published by the Free Software Foundation; either version 2 of the
11 *     License, or (at your option) any later version.
12 *
13 *     This library is distributed in the hope that it will be useful,
14 *     but WITHOUT ANY WARRANTY; without even the implied warranty of
15 *     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 *     GNU General Public License for more details.
17 *
18 *     You should have received a copy of the GNU General Public
19 *     License along with this library; if not, write to the Free
20 *     Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
21 *     MA 02110-1301 USA
22 *
23 * Alternatively,
24 *
25 *  b) Redistribution and use in source and binary forms, with or
26 *     without modification, are permitted provided that the following
27 *     conditions are met:
28 *
29 *     1. Redistributions of source code must retain the above
30 *        copyright notice, this list of conditions and the following
31 *        disclaimer.
32 *     2. Redistributions in binary form must reproduce the above
33 *        copyright notice, this list of conditions and the following
34 *        disclaimer in the documentation and/or other materials
35 *        provided with the distribution.
36 *
37 *     THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
38 *     CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
39 *     INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
40 *     MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
41 *     DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
42 *     CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 *     SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 *     NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 *     LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 *     HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
47 *     CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
48 *     OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
49 *     EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
50 */
51#include "libfdt_env.h"
52
53#include <fdt.h>
54#include <libfdt.h>
55
56#include "libfdt_internal.h"
57
58static int fdt_sw_probe_(void *fdt)
59{
60        if (fdt_magic(fdt) == FDT_MAGIC)
61                return -FDT_ERR_BADSTATE;
62        else if (fdt_magic(fdt) != FDT_SW_MAGIC)
63                return -FDT_ERR_BADMAGIC;
64        return 0;
65}
66
67#define FDT_SW_PROBE(fdt) \
68        { \
69                int err; \
70                if ((err = fdt_sw_probe_(fdt)) != 0) \
71                        return err; \
72        }
73
74/* 'memrsv' state:      Initial state after fdt_create()
75 *
76 * Allowed functions:
77 *      fdt_add_reservmap_entry()
78 *      fdt_finish_reservemap()         [moves to 'struct' state]
79 */
80static int fdt_sw_probe_memrsv_(void *fdt)
81{
82        int err = fdt_sw_probe_(fdt);
83        if (err)
84                return err;
85
86        if (fdt_off_dt_strings(fdt) != 0)
87                return -FDT_ERR_BADSTATE;
88        return 0;
89}
90
91#define FDT_SW_PROBE_MEMRSV(fdt) \
92        { \
93                int err; \
94                if ((err = fdt_sw_probe_memrsv_(fdt)) != 0) \
95                        return err; \
96        }
97
98/* 'struct' state:      Enter this state after fdt_finish_reservemap()
99 *
100 * Allowed functions:
101 *      fdt_begin_node()
102 *      fdt_end_node()
103 *      fdt_property*()
104 *      fdt_finish()                    [moves to 'complete' state]
105 */
106static int fdt_sw_probe_struct_(void *fdt)
107{
108        int err = fdt_sw_probe_(fdt);
109        if (err)
110                return err;
111
112        if (fdt_off_dt_strings(fdt) != fdt_totalsize(fdt))
113                return -FDT_ERR_BADSTATE;
114        return 0;
115}
116
117#define FDT_SW_PROBE_STRUCT(fdt) \
118        { \
119                int err; \
120                if ((err = fdt_sw_probe_struct_(fdt)) != 0) \
121                        return err; \
122        }
123
124/* 'complete' state:    Enter this state after fdt_finish()
125 *
126 * Allowed functions: none
127 */
128
129static void *fdt_grab_space_(void *fdt, size_t len)
130{
131        int offset = fdt_size_dt_struct(fdt);
132        int spaceleft;
133
134        spaceleft = fdt_totalsize(fdt) - fdt_off_dt_struct(fdt)
135                - fdt_size_dt_strings(fdt);
136
137        if ((offset + len < offset) || (offset + len > spaceleft))
138                return NULL;
139
140        fdt_set_size_dt_struct(fdt, offset + len);
141        return fdt_offset_ptr_w_(fdt, offset);
142}
143
144int fdt_create(void *buf, int bufsize)
145{
146        const size_t hdrsize = FDT_ALIGN(sizeof(struct fdt_header),
147                                         sizeof(struct fdt_reserve_entry));
148        void *fdt = buf;
149
150        if (bufsize < hdrsize)
151                return -FDT_ERR_NOSPACE;
152
153        memset(buf, 0, bufsize);
154
155        fdt_set_magic(fdt, FDT_SW_MAGIC);
156        fdt_set_version(fdt, FDT_LAST_SUPPORTED_VERSION);
157        fdt_set_last_comp_version(fdt, FDT_FIRST_SUPPORTED_VERSION);
158        fdt_set_totalsize(fdt,  bufsize);
159
160        fdt_set_off_mem_rsvmap(fdt, hdrsize);
161        fdt_set_off_dt_struct(fdt, fdt_off_mem_rsvmap(fdt));
162        fdt_set_off_dt_strings(fdt, 0);
163
164        return 0;
165}
166
167int fdt_resize(void *fdt, void *buf, int bufsize)
168{
169        size_t headsize, tailsize;
170        char *oldtail, *newtail;
171
172        FDT_SW_PROBE(fdt);
173
174        headsize = fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt);
175        tailsize = fdt_size_dt_strings(fdt);
176
177        if ((headsize + tailsize) > fdt_totalsize(fdt))
178                return -FDT_ERR_INTERNAL;
179
180        if ((headsize + tailsize) > bufsize)
181                return -FDT_ERR_NOSPACE;
182
183        oldtail = (char *)fdt + fdt_totalsize(fdt) - tailsize;
184        newtail = (char *)buf + bufsize - tailsize;
185
186        /* Two cases to avoid clobbering data if the old and new
187         * buffers partially overlap */
188        if (buf <= fdt) {
189                memmove(buf, fdt, headsize);
190                memmove(newtail, oldtail, tailsize);
191        } else {
192                memmove(newtail, oldtail, tailsize);
193                memmove(buf, fdt, headsize);
194        }
195
196        fdt_set_totalsize(buf, bufsize);
197        if (fdt_off_dt_strings(buf))
198                fdt_set_off_dt_strings(buf, bufsize);
199
200        return 0;
201}
202
203int fdt_add_reservemap_entry(void *fdt, uint64_t addr, uint64_t size)
204{
205        struct fdt_reserve_entry *re;
206        int offset;
207
208        FDT_SW_PROBE_MEMRSV(fdt);
209
210        offset = fdt_off_dt_struct(fdt);
211        if ((offset + sizeof(*re)) > fdt_totalsize(fdt))
212                return -FDT_ERR_NOSPACE;
213
214        re = (struct fdt_reserve_entry *)((char *)fdt + offset);
215        re->address = cpu_to_fdt64(addr);
216        re->size = cpu_to_fdt64(size);
217
218        fdt_set_off_dt_struct(fdt, offset + sizeof(*re));
219
220        return 0;
221}
222
223int fdt_finish_reservemap(void *fdt)
224{
225        int err = fdt_add_reservemap_entry(fdt, 0, 0);
226
227        if (err)
228                return err;
229
230        fdt_set_off_dt_strings(fdt, fdt_totalsize(fdt));
231        return 0;
232}
233
234int fdt_begin_node(void *fdt, const char *name)
235{
236        struct fdt_node_header *nh;
237        int namelen;
238
239        FDT_SW_PROBE_STRUCT(fdt);
240
241        namelen = strlen(name) + 1;
242        nh = fdt_grab_space_(fdt, sizeof(*nh) + FDT_TAGALIGN(namelen));
243        if (! nh)
244                return -FDT_ERR_NOSPACE;
245
246        nh->tag = cpu_to_fdt32(FDT_BEGIN_NODE);
247        memcpy(nh->name, name, namelen);
248        return 0;
249}
250
251int fdt_end_node(void *fdt)
252{
253        fdt32_t *en;
254
255        FDT_SW_PROBE_STRUCT(fdt);
256
257        en = fdt_grab_space_(fdt, FDT_TAGSIZE);
258        if (! en)
259                return -FDT_ERR_NOSPACE;
260
261        *en = cpu_to_fdt32(FDT_END_NODE);
262        return 0;
263}
264
265static int fdt_find_add_string_(void *fdt, const char *s)
266{
267        char *strtab = (char *)fdt + fdt_totalsize(fdt);
268        const char *p;
269        int strtabsize = fdt_size_dt_strings(fdt);
270        int len = strlen(s) + 1;
271        int struct_top, offset;
272
273        p = fdt_find_string_(strtab - strtabsize, strtabsize, s);
274        if (p)
275                return p - strtab;
276
277        /* Add it */
278        offset = -strtabsize - len;
279        struct_top = fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt);
280        if (fdt_totalsize(fdt) + offset < struct_top)
281                return 0; /* no more room :( */
282
283        memcpy(strtab + offset, s, len);
284        fdt_set_size_dt_strings(fdt, strtabsize + len);
285        return offset;
286}
287
288int fdt_property_placeholder(void *fdt, const char *name, int len, void **valp)
289{
290        struct fdt_property *prop;
291        int nameoff;
292
293        FDT_SW_PROBE_STRUCT(fdt);
294
295        nameoff = fdt_find_add_string_(fdt, name);
296        if (nameoff == 0)
297                return -FDT_ERR_NOSPACE;
298
299        prop = fdt_grab_space_(fdt, sizeof(*prop) + FDT_TAGALIGN(len));
300        if (! prop)
301                return -FDT_ERR_NOSPACE;
302
303        prop->tag = cpu_to_fdt32(FDT_PROP);
304        prop->nameoff = cpu_to_fdt32(nameoff);
305        prop->len = cpu_to_fdt32(len);
306        *valp = prop->data;
307        return 0;
308}
309
310int fdt_property(void *fdt, const char *name, const void *val, int len)
311{
312        void *ptr;
313        int ret;
314
315        ret = fdt_property_placeholder(fdt, name, len, &ptr);
316        if (ret)
317                return ret;
318        memcpy(ptr, val, len);
319        return 0;
320}
321
322int fdt_finish(void *fdt)
323{
324        char *p = (char *)fdt;
325        fdt32_t *end;
326        int oldstroffset, newstroffset;
327        uint32_t tag;
328        int offset, nextoffset;
329
330        FDT_SW_PROBE_STRUCT(fdt);
331
332        /* Add terminator */
333        end = fdt_grab_space_(fdt, sizeof(*end));
334        if (! end)
335                return -FDT_ERR_NOSPACE;
336        *end = cpu_to_fdt32(FDT_END);
337
338        /* Relocate the string table */
339        oldstroffset = fdt_totalsize(fdt) - fdt_size_dt_strings(fdt);
340        newstroffset = fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt);
341        memmove(p + newstroffset, p + oldstroffset, fdt_size_dt_strings(fdt));
342        fdt_set_off_dt_strings(fdt, newstroffset);
343
344        /* Walk the structure, correcting string offsets */
345        offset = 0;
346        while ((tag = fdt_next_tag(fdt, offset, &nextoffset)) != FDT_END) {
347                if (tag == FDT_PROP) {
348                        struct fdt_property *prop =
349                                fdt_offset_ptr_w_(fdt, offset);
350                        int nameoff;
351
352                        nameoff = fdt32_to_cpu(prop->nameoff);
353                        nameoff += fdt_size_dt_strings(fdt);
354                        prop->nameoff = cpu_to_fdt32(nameoff);
355                }
356                offset = nextoffset;
357        }
358        if (nextoffset < 0)
359                return nextoffset;
360
361        /* Finally, adjust the header */
362        fdt_set_totalsize(fdt, newstroffset + fdt_size_dt_strings(fdt));
363        fdt_set_magic(fdt, FDT_MAGIC);
364        return 0;
365}
Note: See TracBrowser for help on using the repository browser.