mirror of
https://github.com/xemu-project/xemu.git
synced 2025-01-12 14:52:46 +00:00
065e6298a7
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the computation of @dt_size overflows to a negative number, which then gets converted to a very large size_t for g_malloc0() and load_image_size(). In the (fortunately improbable) case g_malloc0() succeeds and load_image_size() survives, we'd assign the negative number to *sizep. What that would do to the callers I can't say, but it's unlikely to be good. Fix by rejecting images whose size would overflow. Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20190409174018.25798-1-armbru@redhat.com>
575 lines
15 KiB
C
575 lines
15 KiB
C
/*
|
|
* Functions to help device tree manipulation using libfdt.
|
|
* It also provides functions to read entries from device tree proc
|
|
* interface.
|
|
*
|
|
* Copyright 2008 IBM Corporation.
|
|
* Authors: Jerone Young <jyoung5@us.ibm.com>
|
|
* Hollis Blanchard <hollisb@us.ibm.com>
|
|
*
|
|
* This work is licensed under the GNU GPL license version 2 or later.
|
|
*
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
|
|
#ifdef CONFIG_LINUX
|
|
#include <dirent.h>
|
|
#endif
|
|
|
|
#include "qapi/error.h"
|
|
#include "qemu/error-report.h"
|
|
#include "qemu/option.h"
|
|
#include "qemu/bswap.h"
|
|
#include "sysemu/device_tree.h"
|
|
#include "sysemu/sysemu.h"
|
|
#include "hw/loader.h"
|
|
#include "hw/boards.h"
|
|
#include "qemu/config-file.h"
|
|
|
|
#include <libfdt.h>
|
|
|
|
#define FDT_MAX_SIZE 0x100000
|
|
|
|
void *create_device_tree(int *sizep)
|
|
{
|
|
void *fdt;
|
|
int ret;
|
|
|
|
*sizep = FDT_MAX_SIZE;
|
|
fdt = g_malloc0(FDT_MAX_SIZE);
|
|
ret = fdt_create(fdt, FDT_MAX_SIZE);
|
|
if (ret < 0) {
|
|
goto fail;
|
|
}
|
|
ret = fdt_finish_reservemap(fdt);
|
|
if (ret < 0) {
|
|
goto fail;
|
|
}
|
|
ret = fdt_begin_node(fdt, "");
|
|
if (ret < 0) {
|
|
goto fail;
|
|
}
|
|
ret = fdt_end_node(fdt);
|
|
if (ret < 0) {
|
|
goto fail;
|
|
}
|
|
ret = fdt_finish(fdt);
|
|
if (ret < 0) {
|
|
goto fail;
|
|
}
|
|
ret = fdt_open_into(fdt, fdt, *sizep);
|
|
if (ret) {
|
|
error_report("Unable to copy device tree in memory");
|
|
exit(1);
|
|
}
|
|
|
|
return fdt;
|
|
fail:
|
|
error_report("%s Couldn't create dt: %s", __func__, fdt_strerror(ret));
|
|
exit(1);
|
|
}
|
|
|
|
void *load_device_tree(const char *filename_path, int *sizep)
|
|
{
|
|
int dt_size;
|
|
int dt_file_load_size;
|
|
int ret;
|
|
void *fdt = NULL;
|
|
|
|
*sizep = 0;
|
|
dt_size = get_image_size(filename_path);
|
|
if (dt_size < 0) {
|
|
error_report("Unable to get size of device tree file '%s'",
|
|
filename_path);
|
|
goto fail;
|
|
}
|
|
if (dt_size > INT_MAX / 2 - 10000) {
|
|
error_report("Device tree file '%s' is too large", filename_path);
|
|
goto fail;
|
|
}
|
|
|
|
/* Expand to 2x size to give enough room for manipulation. */
|
|
dt_size += 10000;
|
|
dt_size *= 2;
|
|
/* First allocate space in qemu for device tree */
|
|
fdt = g_malloc0(dt_size);
|
|
|
|
dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
|
|
if (dt_file_load_size < 0) {
|
|
error_report("Unable to open device tree file '%s'",
|
|
filename_path);
|
|
goto fail;
|
|
}
|
|
|
|
ret = fdt_open_into(fdt, fdt, dt_size);
|
|
if (ret) {
|
|
error_report("Unable to copy device tree in memory");
|
|
goto fail;
|
|
}
|
|
|
|
/* Check sanity of device tree */
|
|
if (fdt_check_header(fdt)) {
|
|
error_report("Device tree file loaded into memory is invalid: %s",
|
|
filename_path);
|
|
goto fail;
|
|
}
|
|
*sizep = dt_size;
|
|
return fdt;
|
|
|
|
fail:
|
|
g_free(fdt);
|
|
return NULL;
|
|
}
|
|
|
|
#ifdef CONFIG_LINUX
|
|
|
|
#define SYSFS_DT_BASEDIR "/proc/device-tree"
|
|
|
|
/**
|
|
* read_fstree: this function is inspired from dtc read_fstree
|
|
* @fdt: preallocated fdt blob buffer, to be populated
|
|
* @dirname: directory to scan under SYSFS_DT_BASEDIR
|
|
* the search is recursive and the tree is searched down to the
|
|
* leaves (property files).
|
|
*
|
|
* the function asserts in case of error
|
|
*/
|
|
static void read_fstree(void *fdt, const char *dirname)
|
|
{
|
|
DIR *d;
|
|
struct dirent *de;
|
|
struct stat st;
|
|
const char *root_dir = SYSFS_DT_BASEDIR;
|
|
const char *parent_node;
|
|
|
|
if (strstr(dirname, root_dir) != dirname) {
|
|
error_report("%s: %s must be searched within %s",
|
|
__func__, dirname, root_dir);
|
|
exit(1);
|
|
}
|
|
parent_node = &dirname[strlen(SYSFS_DT_BASEDIR)];
|
|
|
|
d = opendir(dirname);
|
|
if (!d) {
|
|
error_report("%s cannot open %s", __func__, dirname);
|
|
exit(1);
|
|
}
|
|
|
|
while ((de = readdir(d)) != NULL) {
|
|
char *tmpnam;
|
|
|
|
if (!g_strcmp0(de->d_name, ".")
|
|
|| !g_strcmp0(de->d_name, "..")) {
|
|
continue;
|
|
}
|
|
|
|
tmpnam = g_strdup_printf("%s/%s", dirname, de->d_name);
|
|
|
|
if (lstat(tmpnam, &st) < 0) {
|
|
error_report("%s cannot lstat %s", __func__, tmpnam);
|
|
exit(1);
|
|
}
|
|
|
|
if (S_ISREG(st.st_mode)) {
|
|
gchar *val;
|
|
gsize len;
|
|
|
|
if (!g_file_get_contents(tmpnam, &val, &len, NULL)) {
|
|
error_report("%s not able to extract info from %s",
|
|
__func__, tmpnam);
|
|
exit(1);
|
|
}
|
|
|
|
if (strlen(parent_node) > 0) {
|
|
qemu_fdt_setprop(fdt, parent_node,
|
|
de->d_name, val, len);
|
|
} else {
|
|
qemu_fdt_setprop(fdt, "/", de->d_name, val, len);
|
|
}
|
|
g_free(val);
|
|
} else if (S_ISDIR(st.st_mode)) {
|
|
char *node_name;
|
|
|
|
node_name = g_strdup_printf("%s/%s",
|
|
parent_node, de->d_name);
|
|
qemu_fdt_add_subnode(fdt, node_name);
|
|
g_free(node_name);
|
|
read_fstree(fdt, tmpnam);
|
|
}
|
|
|
|
g_free(tmpnam);
|
|
}
|
|
|
|
closedir(d);
|
|
}
|
|
|
|
/* load_device_tree_from_sysfs: extract the dt blob from host sysfs */
|
|
void *load_device_tree_from_sysfs(void)
|
|
{
|
|
void *host_fdt;
|
|
int host_fdt_size;
|
|
|
|
host_fdt = create_device_tree(&host_fdt_size);
|
|
read_fstree(host_fdt, SYSFS_DT_BASEDIR);
|
|
if (fdt_check_header(host_fdt)) {
|
|
error_report("%s host device tree extracted into memory is invalid",
|
|
__func__);
|
|
exit(1);
|
|
}
|
|
return host_fdt;
|
|
}
|
|
|
|
#endif /* CONFIG_LINUX */
|
|
|
|
static int findnode_nofail(void *fdt, const char *node_path)
|
|
{
|
|
int offset;
|
|
|
|
offset = fdt_path_offset(fdt, node_path);
|
|
if (offset < 0) {
|
|
error_report("%s Couldn't find node %s: %s", __func__, node_path,
|
|
fdt_strerror(offset));
|
|
exit(1);
|
|
}
|
|
|
|
return offset;
|
|
}
|
|
|
|
char **qemu_fdt_node_unit_path(void *fdt, const char *name, Error **errp)
|
|
{
|
|
char *prefix = g_strdup_printf("%s@", name);
|
|
unsigned int path_len = 16, n = 0;
|
|
GSList *path_list = NULL, *iter;
|
|
const char *iter_name;
|
|
int offset, len, ret;
|
|
char **path_array;
|
|
|
|
offset = fdt_next_node(fdt, -1, NULL);
|
|
|
|
while (offset >= 0) {
|
|
iter_name = fdt_get_name(fdt, offset, &len);
|
|
if (!iter_name) {
|
|
offset = len;
|
|
break;
|
|
}
|
|
if (!strcmp(iter_name, name) || g_str_has_prefix(iter_name, prefix)) {
|
|
char *path;
|
|
|
|
path = g_malloc(path_len);
|
|
while ((ret = fdt_get_path(fdt, offset, path, path_len))
|
|
== -FDT_ERR_NOSPACE) {
|
|
path_len += 16;
|
|
path = g_realloc(path, path_len);
|
|
}
|
|
path_list = g_slist_prepend(path_list, path);
|
|
n++;
|
|
}
|
|
offset = fdt_next_node(fdt, offset, NULL);
|
|
}
|
|
g_free(prefix);
|
|
|
|
if (offset < 0 && offset != -FDT_ERR_NOTFOUND) {
|
|
error_setg(errp, "%s: abort parsing dt for %s node units: %s",
|
|
__func__, name, fdt_strerror(offset));
|
|
for (iter = path_list; iter; iter = iter->next) {
|
|
g_free(iter->data);
|
|
}
|
|
g_slist_free(path_list);
|
|
return NULL;
|
|
}
|
|
|
|
path_array = g_new(char *, n + 1);
|
|
path_array[n--] = NULL;
|
|
|
|
for (iter = path_list; iter; iter = iter->next) {
|
|
path_array[n--] = iter->data;
|
|
}
|
|
|
|
g_slist_free(path_list);
|
|
|
|
return path_array;
|
|
}
|
|
|
|
char **qemu_fdt_node_path(void *fdt, const char *name, char *compat,
|
|
Error **errp)
|
|
{
|
|
int offset, len, ret;
|
|
const char *iter_name;
|
|
unsigned int path_len = 16, n = 0;
|
|
GSList *path_list = NULL, *iter;
|
|
char **path_array;
|
|
|
|
offset = fdt_node_offset_by_compatible(fdt, -1, compat);
|
|
|
|
while (offset >= 0) {
|
|
iter_name = fdt_get_name(fdt, offset, &len);
|
|
if (!iter_name) {
|
|
offset = len;
|
|
break;
|
|
}
|
|
if (!strcmp(iter_name, name)) {
|
|
char *path;
|
|
|
|
path = g_malloc(path_len);
|
|
while ((ret = fdt_get_path(fdt, offset, path, path_len))
|
|
== -FDT_ERR_NOSPACE) {
|
|
path_len += 16;
|
|
path = g_realloc(path, path_len);
|
|
}
|
|
path_list = g_slist_prepend(path_list, path);
|
|
n++;
|
|
}
|
|
offset = fdt_node_offset_by_compatible(fdt, offset, compat);
|
|
}
|
|
|
|
if (offset < 0 && offset != -FDT_ERR_NOTFOUND) {
|
|
error_setg(errp, "%s: abort parsing dt for %s/%s: %s",
|
|
__func__, name, compat, fdt_strerror(offset));
|
|
for (iter = path_list; iter; iter = iter->next) {
|
|
g_free(iter->data);
|
|
}
|
|
g_slist_free(path_list);
|
|
return NULL;
|
|
}
|
|
|
|
path_array = g_new(char *, n + 1);
|
|
path_array[n--] = NULL;
|
|
|
|
for (iter = path_list; iter; iter = iter->next) {
|
|
path_array[n--] = iter->data;
|
|
}
|
|
|
|
g_slist_free(path_list);
|
|
|
|
return path_array;
|
|
}
|
|
|
|
int qemu_fdt_setprop(void *fdt, const char *node_path,
|
|
const char *property, const void *val, int size)
|
|
{
|
|
int r;
|
|
|
|
r = fdt_setprop(fdt, findnode_nofail(fdt, node_path), property, val, size);
|
|
if (r < 0) {
|
|
error_report("%s: Couldn't set %s/%s: %s", __func__, node_path,
|
|
property, fdt_strerror(r));
|
|
exit(1);
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
int qemu_fdt_setprop_cell(void *fdt, const char *node_path,
|
|
const char *property, uint32_t val)
|
|
{
|
|
int r;
|
|
|
|
r = fdt_setprop_cell(fdt, findnode_nofail(fdt, node_path), property, val);
|
|
if (r < 0) {
|
|
error_report("%s: Couldn't set %s/%s = %#08x: %s", __func__,
|
|
node_path, property, val, fdt_strerror(r));
|
|
exit(1);
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
int qemu_fdt_setprop_u64(void *fdt, const char *node_path,
|
|
const char *property, uint64_t val)
|
|
{
|
|
val = cpu_to_be64(val);
|
|
return qemu_fdt_setprop(fdt, node_path, property, &val, sizeof(val));
|
|
}
|
|
|
|
int qemu_fdt_setprop_string(void *fdt, const char *node_path,
|
|
const char *property, const char *string)
|
|
{
|
|
int r;
|
|
|
|
r = fdt_setprop_string(fdt, findnode_nofail(fdt, node_path), property, string);
|
|
if (r < 0) {
|
|
error_report("%s: Couldn't set %s/%s = %s: %s", __func__,
|
|
node_path, property, string, fdt_strerror(r));
|
|
exit(1);
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
const void *qemu_fdt_getprop(void *fdt, const char *node_path,
|
|
const char *property, int *lenp, Error **errp)
|
|
{
|
|
int len;
|
|
const void *r;
|
|
|
|
if (!lenp) {
|
|
lenp = &len;
|
|
}
|
|
r = fdt_getprop(fdt, findnode_nofail(fdt, node_path), property, lenp);
|
|
if (!r) {
|
|
error_setg(errp, "%s: Couldn't get %s/%s: %s", __func__,
|
|
node_path, property, fdt_strerror(*lenp));
|
|
}
|
|
return r;
|
|
}
|
|
|
|
uint32_t qemu_fdt_getprop_cell(void *fdt, const char *node_path,
|
|
const char *property, int *lenp, Error **errp)
|
|
{
|
|
int len;
|
|
const uint32_t *p;
|
|
|
|
if (!lenp) {
|
|
lenp = &len;
|
|
}
|
|
p = qemu_fdt_getprop(fdt, node_path, property, lenp, errp);
|
|
if (!p) {
|
|
return 0;
|
|
} else if (*lenp != 4) {
|
|
error_setg(errp, "%s: %s/%s not 4 bytes long (not a cell?)",
|
|
__func__, node_path, property);
|
|
*lenp = -EINVAL;
|
|
return 0;
|
|
}
|
|
return be32_to_cpu(*p);
|
|
}
|
|
|
|
uint32_t qemu_fdt_get_phandle(void *fdt, const char *path)
|
|
{
|
|
uint32_t r;
|
|
|
|
r = fdt_get_phandle(fdt, findnode_nofail(fdt, path));
|
|
if (r == 0) {
|
|
error_report("%s: Couldn't get phandle for %s: %s", __func__,
|
|
path, fdt_strerror(r));
|
|
exit(1);
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
int qemu_fdt_setprop_phandle(void *fdt, const char *node_path,
|
|
const char *property,
|
|
const char *target_node_path)
|
|
{
|
|
uint32_t phandle = qemu_fdt_get_phandle(fdt, target_node_path);
|
|
return qemu_fdt_setprop_cell(fdt, node_path, property, phandle);
|
|
}
|
|
|
|
uint32_t qemu_fdt_alloc_phandle(void *fdt)
|
|
{
|
|
static int phandle = 0x0;
|
|
|
|
/*
|
|
* We need to find out if the user gave us special instruction at
|
|
* which phandle id to start allocating phandles.
|
|
*/
|
|
if (!phandle) {
|
|
phandle = machine_phandle_start(current_machine);
|
|
}
|
|
|
|
if (!phandle) {
|
|
/*
|
|
* None or invalid phandle given on the command line, so fall back to
|
|
* default starting point.
|
|
*/
|
|
phandle = 0x8000;
|
|
}
|
|
|
|
return phandle++;
|
|
}
|
|
|
|
int qemu_fdt_nop_node(void *fdt, const char *node_path)
|
|
{
|
|
int r;
|
|
|
|
r = fdt_nop_node(fdt, findnode_nofail(fdt, node_path));
|
|
if (r < 0) {
|
|
error_report("%s: Couldn't nop node %s: %s", __func__, node_path,
|
|
fdt_strerror(r));
|
|
exit(1);
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
int qemu_fdt_add_subnode(void *fdt, const char *name)
|
|
{
|
|
char *dupname = g_strdup(name);
|
|
char *basename = strrchr(dupname, '/');
|
|
int retval;
|
|
int parent = 0;
|
|
|
|
if (!basename) {
|
|
g_free(dupname);
|
|
return -1;
|
|
}
|
|
|
|
basename[0] = '\0';
|
|
basename++;
|
|
|
|
if (dupname[0]) {
|
|
parent = findnode_nofail(fdt, dupname);
|
|
}
|
|
|
|
retval = fdt_add_subnode(fdt, parent, basename);
|
|
if (retval < 0) {
|
|
error_report("FDT: Failed to create subnode %s: %s", name,
|
|
fdt_strerror(retval));
|
|
exit(1);
|
|
}
|
|
|
|
g_free(dupname);
|
|
return retval;
|
|
}
|
|
|
|
void qemu_fdt_dumpdtb(void *fdt, int size)
|
|
{
|
|
const char *dumpdtb = qemu_opt_get(qemu_get_machine_opts(), "dumpdtb");
|
|
|
|
if (dumpdtb) {
|
|
/* Dump the dtb to a file and quit */
|
|
exit(g_file_set_contents(dumpdtb, fdt, size, NULL) ? 0 : 1);
|
|
}
|
|
}
|
|
|
|
int qemu_fdt_setprop_sized_cells_from_array(void *fdt,
|
|
const char *node_path,
|
|
const char *property,
|
|
int numvalues,
|
|
uint64_t *values)
|
|
{
|
|
uint32_t *propcells;
|
|
uint64_t value;
|
|
int cellnum, vnum, ncells;
|
|
uint32_t hival;
|
|
int ret;
|
|
|
|
propcells = g_new0(uint32_t, numvalues * 2);
|
|
|
|
cellnum = 0;
|
|
for (vnum = 0; vnum < numvalues; vnum++) {
|
|
ncells = values[vnum * 2];
|
|
if (ncells != 1 && ncells != 2) {
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
value = values[vnum * 2 + 1];
|
|
hival = cpu_to_be32(value >> 32);
|
|
if (ncells > 1) {
|
|
propcells[cellnum++] = hival;
|
|
} else if (hival != 0) {
|
|
ret = -1;
|
|
goto out;
|
|
}
|
|
propcells[cellnum++] = cpu_to_be32(value);
|
|
}
|
|
|
|
ret = qemu_fdt_setprop(fdt, node_path, property, propcells,
|
|
cellnum * sizeof(uint32_t));
|
|
out:
|
|
g_free(propcells);
|
|
return ret;
|
|
}
|