Re: [PATCH] arm64: fix address fault during mapping fdt region

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1 August 2016 at 11:42, zijun_hu <zijun_hu@xxxxxxxx> wrote:
> From 07b9216ec3494515e7a6c41e0333eb8782427db3 Mon Sep 17 00:00:00 2001
> From: zijun_hu <zijun_hu@xxxxxxx>
> Date: Mon, 1 Aug 2016 17:04:59 +0800
> Subject: [PATCH] arm64: fix address fault during mapping fdt region
>
> fdt_check_header() accesses other fileds of fdt header but
> the first 8 bytes such as version; so accessing unmapped
> address fault happens if fdt region locates below align
> boundary nearly during mapping fdt region, or expressed as
> (offset + sizeof(struct fdt_header)) > SWAPPER_BLOCK_SIZE
>
> fdt header size at least is mapped in order to avoid the issue
>
> Signed-off-by: zijun_hu <zijun_hu@xxxxxxx>
> ---
>  arch/arm64/mm/mmu.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 0f85a46..0d72b71 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -744,6 +744,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
>         const u64 dt_virt_base = __fix_to_virt(FIX_FDT);
>         int offset;
>         void *dt_virt;
> +       int dt_header_map_size;
>
>         /*
>          * Check whether the physical FDT address is set and meets the minimum
> @@ -774,9 +775,18 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
>         offset = dt_phys % SWAPPER_BLOCK_SIZE;
>         dt_virt = (void *)dt_virt_base + offset;
>
> +       /*
> +        * fdt_check_header() maybe access any field of fdt header not
> +        * the first 8 bytes only, so map fdt header size at least for
> +        * checking fdt header without address fault more portably
> +        */
> +       BUILD_BUG_ON(sizeof(struct fdt_header) > SWAPPER_BLOCK_SIZE);
> +       dt_header_map_size = round_up(offset + sizeof(struct fdt_header),
> +                       SWAPPER_BLOCK_SIZE);
> +
>         /* map the first chunk so we can read the size from the header */
>         create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
> -                       dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
> +                       dt_virt_base, dt_header_map_size, prot);
>
>         if (fdt_check_header(dt_virt) != 0)
>                 return NULL;
> @@ -785,7 +795,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
>         if (*size > MAX_FDT_SIZE)
>                 return NULL;
>
> -       if (offset + *size > SWAPPER_BLOCK_SIZE)
> +       if (offset + *size > dt_header_map_size)
>                 create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base,
>                                round_up(offset + *size, SWAPPER_BLOCK_SIZE), prot);
>

Couldn't we simply do this instead?

diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index 0f85a46c3e18..e8d3b04a2b57 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -778,7 +778,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t
dt_phys, int *size, pgprot_t prot)
        create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
                        dt_virt_base, SWAPPER_BLOCK_SIZE, prot);

-       if (fdt_check_header(dt_virt) != 0)
+       if (fdt_magic(dt_virt) != FDT_MAGIC)
                return NULL;

        *size = fdt_totalsize(dt_virt);

We are simply looking for a size field. The OF code will call
fdt_check_header() again, so anything that is checked there in
addition to the magic field will still be checked.

-- 
Ard.
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]