From: mark.rutland@arm.com (Mark Rutland)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm64: fix address fault during mapping fdt region
Date: Mon, 1 Aug 2016 12:06:44 +0100 [thread overview]
Message-ID: <20160801110643.GC11119@leverpostej> (raw)
In-Reply-To: <CAKv+Gu9QQdncCD_T8+tpdVP8qx=EKM9-PGLvb8J9RNA2qHddFw@mail.gmail.com>
On Mon, Aug 01, 2016 at 11:50:39AM +0200, Ard Biesheuvel wrote:
> On 1 August 2016 at 11:42, zijun_hu <zijun_hu@zoho.com> wrote:
> > From 07b9216ec3494515e7a6c41e0333eb8782427db3 Mon Sep 17 00:00:00 2001
> > From: zijun_hu <zijun_hu@htc.com>
> > Date: Mon, 1 Aug 2016 17:04:59 +0800
> > Subject: [PATCH] arm64: fix address fault during mapping fdt region
> >
> > fdt_check_header() accesses other fileds of fdt header but
> > the first 8 bytes such as version; so accessing unmapped
> > address fault happens if fdt region locates below align
> > boundary nearly during mapping fdt region, or expressed as
> > (offset + sizeof(struct fdt_header)) > SWAPPER_BLOCK_SIZE
> >
> > fdt header size at least is mapped in order to avoid the issue
> >
> > Signed-off-by: zijun_hu <zijun_hu@htc.com>
> > ---
> > arch/arm64/mm/mmu.c | 14 ++++++++++++--
> > 1 file changed, 12 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> > index 0f85a46..0d72b71 100644
> > --- a/arch/arm64/mm/mmu.c
> > +++ b/arch/arm64/mm/mmu.c
> > @@ -744,6 +744,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> > const u64 dt_virt_base = __fix_to_virt(FIX_FDT);
> > int offset;
> > void *dt_virt;
> > + int dt_header_map_size;
> >
> > /*
> > * Check whether the physical FDT address is set and meets the minimum
> > @@ -774,9 +775,18 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> > offset = dt_phys % SWAPPER_BLOCK_SIZE;
> > dt_virt = (void *)dt_virt_base + offset;
> >
> > + /*
> > + * fdt_check_header() maybe access any field of fdt header not
> > + * the first 8 bytes only, so map fdt header size at least for
> > + * checking fdt header without address fault more portably
> > + */
> > + BUILD_BUG_ON(sizeof(struct fdt_header) > SWAPPER_BLOCK_SIZE);
> > + dt_header_map_size = round_up(offset + sizeof(struct fdt_header),
> > + SWAPPER_BLOCK_SIZE);
> > +
> > /* map the first chunk so we can read the size from the header */
> > create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
> > - dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
> > + dt_virt_base, dt_header_map_size, prot);
> >
> > if (fdt_check_header(dt_virt) != 0)
> > return NULL;
> > @@ -785,7 +795,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> > if (*size > MAX_FDT_SIZE)
> > return NULL;
> >
> > - if (offset + *size > SWAPPER_BLOCK_SIZE)
> > + if (offset + *size > dt_header_map_size)
> > create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base,
> > round_up(offset + *size, SWAPPER_BLOCK_SIZE), prot);
> >
>
> Couldn't we simply do this instead?
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 0f85a46c3e18..e8d3b04a2b57 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -778,7 +778,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t
> dt_phys, int *size, pgprot_t prot)
> create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
> dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
>
> - if (fdt_check_header(dt_virt) != 0)
> + if (fdt_magic(dt_virt) != FDT_MAGIC)
> return NULL;
>
> *size = fdt_totalsize(dt_virt);
>
> We are simply looking for a size field. The OF code will call
> fdt_check_header() again, so anything that is checked there in
> addition to the magic field will still be checked.
That looks much nicer to me, and deferring the header check also looks
fine.
If you add a comment above the fdt_magic() check, pointing out why we
can only safely access the magic and totalsize fields (and thus can't
call fdt_check_header() yet):
Acked-by: Mark Rutland <mark.rutland@arm.com>
Thanks,
Mark.
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: zijun_hu <zijun_hu@zoho.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
Laura Abbott <labbott@fedoraproject.org>,
"Suzuki K. Poulose" <suzuki.poulose@arm.com>,
Jeremy Linton <jeremy.linton@arm.com>,
tj@kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
zijun_hu@htc.com
Subject: Re: [PATCH] arm64: fix address fault during mapping fdt region
Date: Mon, 1 Aug 2016 12:06:44 +0100 [thread overview]
Message-ID: <20160801110643.GC11119@leverpostej> (raw)
In-Reply-To: <CAKv+Gu9QQdncCD_T8+tpdVP8qx=EKM9-PGLvb8J9RNA2qHddFw@mail.gmail.com>
On Mon, Aug 01, 2016 at 11:50:39AM +0200, Ard Biesheuvel wrote:
> On 1 August 2016 at 11:42, zijun_hu <zijun_hu@zoho.com> wrote:
> > From 07b9216ec3494515e7a6c41e0333eb8782427db3 Mon Sep 17 00:00:00 2001
> > From: zijun_hu <zijun_hu@htc.com>
> > Date: Mon, 1 Aug 2016 17:04:59 +0800
> > Subject: [PATCH] arm64: fix address fault during mapping fdt region
> >
> > fdt_check_header() accesses other fileds of fdt header but
> > the first 8 bytes such as version; so accessing unmapped
> > address fault happens if fdt region locates below align
> > boundary nearly during mapping fdt region, or expressed as
> > (offset + sizeof(struct fdt_header)) > SWAPPER_BLOCK_SIZE
> >
> > fdt header size at least is mapped in order to avoid the issue
> >
> > Signed-off-by: zijun_hu <zijun_hu@htc.com>
> > ---
> > arch/arm64/mm/mmu.c | 14 ++++++++++++--
> > 1 file changed, 12 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> > index 0f85a46..0d72b71 100644
> > --- a/arch/arm64/mm/mmu.c
> > +++ b/arch/arm64/mm/mmu.c
> > @@ -744,6 +744,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> > const u64 dt_virt_base = __fix_to_virt(FIX_FDT);
> > int offset;
> > void *dt_virt;
> > + int dt_header_map_size;
> >
> > /*
> > * Check whether the physical FDT address is set and meets the minimum
> > @@ -774,9 +775,18 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> > offset = dt_phys % SWAPPER_BLOCK_SIZE;
> > dt_virt = (void *)dt_virt_base + offset;
> >
> > + /*
> > + * fdt_check_header() maybe access any field of fdt header not
> > + * the first 8 bytes only, so map fdt header size at least for
> > + * checking fdt header without address fault more portably
> > + */
> > + BUILD_BUG_ON(sizeof(struct fdt_header) > SWAPPER_BLOCK_SIZE);
> > + dt_header_map_size = round_up(offset + sizeof(struct fdt_header),
> > + SWAPPER_BLOCK_SIZE);
> > +
> > /* map the first chunk so we can read the size from the header */
> > create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
> > - dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
> > + dt_virt_base, dt_header_map_size, prot);
> >
> > if (fdt_check_header(dt_virt) != 0)
> > return NULL;
> > @@ -785,7 +795,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
> > if (*size > MAX_FDT_SIZE)
> > return NULL;
> >
> > - if (offset + *size > SWAPPER_BLOCK_SIZE)
> > + if (offset + *size > dt_header_map_size)
> > create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base,
> > round_up(offset + *size, SWAPPER_BLOCK_SIZE), prot);
> >
>
> Couldn't we simply do this instead?
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 0f85a46c3e18..e8d3b04a2b57 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -778,7 +778,7 @@ void *__init __fixmap_remap_fdt(phys_addr_t
> dt_phys, int *size, pgprot_t prot)
> create_mapping_noalloc(round_down(dt_phys, SWAPPER_BLOCK_SIZE),
> dt_virt_base, SWAPPER_BLOCK_SIZE, prot);
>
> - if (fdt_check_header(dt_virt) != 0)
> + if (fdt_magic(dt_virt) != FDT_MAGIC)
> return NULL;
>
> *size = fdt_totalsize(dt_virt);
>
> We are simply looking for a size field. The OF code will call
> fdt_check_header() again, so anything that is checked there in
> addition to the magic field will still be checked.
That looks much nicer to me, and deferring the header check also looks
fine.
If you add a comment above the fdt_magic() check, pointing out why we
can only safely access the magic and totalsize fields (and thus can't
call fdt_check_header() yet):
Acked-by: Mark Rutland <mark.rutland@arm.com>
Thanks,
Mark.
next prev parent reply other threads:[~2016-08-01 11:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-01 9:42 [PATCH] arm64: fix address fault during mapping fdt region zijun_hu
2016-08-01 9:42 ` zijun_hu
2016-08-01 9:50 ` Ard Biesheuvel
2016-08-01 9:50 ` Ard Biesheuvel
2016-08-01 10:59 ` zijun_hu
2016-08-01 10:59 ` zijun_hu
2016-08-01 11:24 ` Mark Rutland
2016-08-01 11:24 ` Mark Rutland
2016-08-01 13:17 ` zijun_hu
2016-08-01 13:17 ` zijun_hu
2016-08-01 13:31 ` Mark Rutland
2016-08-01 13:31 ` Mark Rutland
2016-08-01 11:06 ` Mark Rutland [this message]
2016-08-01 11:06 ` Mark Rutland
2016-08-01 12:24 ` Greg KH
2016-08-01 12:24 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160801110643.GC11119@leverpostej \
--to=mark.rutland@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.