On 1 August 2016 at 11:42, zijun_hu <zijun_hu@xxxxxxxx> wrote:
> From 07b9216ec3494515e7a6c41e0333eb8782427db3 Mon Sep 17 00:00:00 2001
> From: zijun_hu <zijun_hu@xxxxxxx>
> Date: Mon, 1 Aug 2016 17:04:59 +0800
> Subject: [PATCH] arm64: fix address fault during mapping fdt region
>
> fdt_check_header() accesses other fileds of fdt header but
> the first 8 bytes such as version; so accessing unmapped
> address fault happens if fdt region locates below align
> boundary nearly during mapping fdt region, or expressed as
> (offset + sizeof(struct fdt_header)) > SWAPPER_BLOCK_SIZE
>
> fdt header size at least is mapped in order to avoid the issue
>
> Signed-off-by: zijun_hu <zijun_hu@xxxxxxx>
> ---
> arch/arm64/mm/mmu.c | 14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 0f85a46..0d72b71 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -744,6 +744,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> const u64 dt_virt_base = __fix_to_virt(FIX_FDT);
> int offset;
> void *dt_virt;
> + int dt_header_map_size;
>
> /*
> * Check whether the physical FDT address is set and meets the minimum
> @@ -774,9 +775,18 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> offset = dt_phys % SWAPPER_BLOCK_SIZE;
> dt_virt = (void *)dt_virt_base + offset;
>
> + /*
> + * fdt_check_header() maybe access any field of fdt header not
> + * the first 8 bytes only, so map fdt header size at least for
> + * checking fdt header without address fault more portably
> + */
> + BUILD_BUG_ON(sizeof(struct fdt_header) > SWAPPER_BLOCK_SIZE);
> + dt_header_map_size = round_up(offset + sizeof(struct fdt_header),
> + SWAPPER_BLOCK_SIZE);
> +
> /* map the first chunk so we can read the size from the header */
> create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
> - dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
> + dt_virt_base, dt_header_map_size, prot);
>
> if (fdt_check_header(dt_virt) != 0)
> return NULL;
> @@ -785,7 +795,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> if (*size > MAX_FDT_SIZE)
> return NULL;
>
> - if (offset + *size > SWAPPER_BLOCK_SIZE)
> + if (offset + *size > dt_header_map_size)
> create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base,
> round_up(offset + *size, SWAPPER_BLOCK_SIZE), prot);
>
Couldn't we simply do this instead?
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index 0f85a46c3e18..e8d3b04a2b57 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -778,7 +778,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t
dt_phys, int *size, pgprot_t prot)
create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
- if (fdt_check_header(dt_virt) != 0)
+ if (fdt_magic(dt_virt) != FDT_MAGIC)
return NULL;
*size = fdt_totalsize(dt_virt);
We are simply looking for a size field. The OF code will call
fdt_check_header() again, so anything that is checked there in
addition to the magic field will still be checked.
--
Ard.
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html