libfdt is never supposed to access memory outside the the blob, or outside the sub-blocks within it, even if the blob is badly corrupted. We can leverage valgrind's client requests to do better testing of this. This adds a vg_prepare_blob() function which marks just the valid parts of an fdt blob as properly initialized, explicitly marking the rest as uninitialized. This means valgrind should catch any bad accesses. We add a call to vg_prepare_blob() to load_blob() so that lots of the existing testcases will benefit from the extra checking. Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> --- tests/tests.h | 1 + tests/testutils.c | 52 +++++++++++++++++++++++++++++++++++++++++++++- tests/truncated_property.c | 2 ++ tests/truncated_string.c | 2 ++ 4 files changed, 56 insertions(+), 1 deletion(-) diff --git a/tests/tests.h b/tests/tests.h index df38b77..b7daa26 100644 --- a/tests/tests.h +++ b/tests/tests.h @@ -119,6 +119,7 @@ const void *check_getprop(void *fdt, int nodeoffset, const char *name, #define check_getprop_string(fdt, nodeoffset, name, s) \ check_getprop((fdt), (nodeoffset), (name), strlen(s)+1, (s)) int nodename_eq(const char *s1, const char *s2); +void vg_prepare_blob(void *fdt, size_t bufsize); void *load_blob(const char *filename); void *load_blob_arg(int argc, char *argv[]); void save_blob(const char *filename, void *blob); diff --git a/tests/testutils.c b/tests/testutils.c index d6d6818..ea8a022 100644 --- a/tests/testutils.c +++ b/tests/testutils.c @@ -161,14 +161,64 @@ int nodename_eq(const char *s1, const char *s2) return 0; } +void vg_prepare_blob(void *fdt, size_t bufsize) +{ + char *blob = fdt; + int off_memrsv, off_strings, off_struct; + size_t size_memrsv, size_strings, size_struct; + + size_memrsv = (fdt_num_mem_rsv(fdt) + 1) + * sizeof(struct fdt_reserve_entry); + + VALGRIND_MAKE_MEM_UNDEFINED(blob, bufsize); + VALGRIND_MAKE_MEM_DEFINED(blob, FDT_V1_SIZE); + VALGRIND_MAKE_MEM_DEFINED(blob, fdt_header_size(fdt)); + + if (fdt_magic(fdt) == FDT_MAGIC) { + off_memrsv = fdt_off_mem_rsvmap(fdt); + + off_strings = fdt_off_dt_strings(fdt); + if (fdt_version(fdt) >= 3) + size_strings = fdt_size_dt_strings(fdt); + else + size_strings = fdt_totalsize(fdt) - off_strings; + + off_struct = fdt_off_dt_struct(fdt); + if (fdt_version(fdt) >= 17) + size_struct = fdt_size_dt_struct(fdt); + else + size_struct = fdt_totalsize(fdt) - off_struct; + } else if (fdt_magic(fdt) == (~FDT_MAGIC)) { + off_memrsv = fdt_off_mem_rsvmap(fdt); + + size_strings = fdt_size_dt_strings(fdt); + off_strings = fdt_off_dt_strings(fdt) - size_strings; + + off_struct = fdt_off_dt_struct(fdt); + size_struct = fdt_size_dt_struct(fdt); + size_struct = fdt_totalsize(fdt) - off_struct; + + } else { + CONFIG("Bad magic on vg_prepare_blob()"); + } + + VALGRIND_MAKE_MEM_DEFINED(blob + off_memrsv, size_memrsv); + VALGRIND_MAKE_MEM_DEFINED(blob + off_strings, size_strings); + VALGRIND_MAKE_MEM_DEFINED(blob + off_struct, size_struct); +} + void *load_blob(const char *filename) { char *blob; - int ret = utilfdt_read_err(filename, &blob, NULL); + size_t len; + int ret = utilfdt_read_err(filename, &blob, &len); if (ret) CONFIG("Couldn't open blob from \"%s\": %s", filename, strerror(ret)); + + vg_prepare_blob(blob, len); + return blob; } diff --git a/tests/truncated_property.c b/tests/truncated_property.c index 71619bb..f4b6770 100644 --- a/tests/truncated_property.c +++ b/tests/truncated_property.c @@ -36,6 +36,8 @@ int main(int argc, char *argv[]) test_init(argc, argv); + vg_prepare_blob(fdt, fdt_totalsize(fdt)); + prop = fdt_getprop(fdt, 0, "truncated", &len); if (prop) FAIL("fdt_getprop() succeeded on truncated property"); diff --git a/tests/truncated_string.c b/tests/truncated_string.c index 63214d2..5365f69 100644 --- a/tests/truncated_string.c +++ b/tests/truncated_string.c @@ -37,6 +37,8 @@ int main(int argc, char *argv[]) test_init(argc, argv); + vg_prepare_blob(fdt, fdt_totalsize(fdt)); + off = fdt_first_property_offset(fdt, 0); good = fdt_get_property_by_offset(fdt, off, NULL); -- 2.14.3 -- To unsubscribe from this list: send the line "unsubscribe devicetree-compiler" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html