[PATCH net-next v3 09/10] ptp: ocp: Add firmware header checks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jonathan Lemon <jonathan.lemon@gmail.com>
To: netdev@vger.kernel.org
Cc: richardcochran@gmail.com, davem@davemloft.net, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com, kernel-team@fb.com
Subject: [PATCH net-next v3 09/10] ptp: ocp: Add firmware header checks
Date: Fri, 13 May 2022 15:59:23 -0700	[thread overview]
Message-ID: <20220513225924.1655-10-jonathan.lemon@gmail.com> (raw)
In-Reply-To: <20220513225924.1655-1-jonathan.lemon@gmail.com>

From: Vadim Fedorenko <vadfed@fb.com>

Right now it's possible to flash any kind of binary via devlink and
break the card easily. This diff adds an optional header check when
installing the firmware.

Signed-off-by: Vadim Fedorenko <vadfed@fb.com>
Signed-off-by: Jonathan Lemon <jonathan.lemon@gmail.com>
---
 drivers/ptp/ptp_ocp.c | 78 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 73 insertions(+), 5 deletions(-)

diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c
index 67733b319bdc..4ff7f16242cf 100644
--- a/drivers/ptp/ptp_ocp.c
+++ b/drivers/ptp/ptp_ocp.c
@@ -19,6 +19,7 @@
 #include <linux/i2c.h>
 #include <linux/mtd/mtd.h>
 #include <linux/nvmem-consumer.h>
+#include <linux/crc16.h>
 
 #ifndef PCI_VENDOR_ID_FACEBOOK
 #define PCI_VENDOR_ID_FACEBOOK 0x1d9b
@@ -223,6 +224,17 @@ struct ptp_ocp_flash_info {
 	void *data;
 };
 
+struct ptp_ocp_firmware_header {
+	char magic[4];
+	__be16 pci_vendor_id;
+	__be16 pci_device_id;
+	__be32 image_size;
+	__be16 hw_revision;
+	__be16 crc;
+};
+
+#define OCP_FIRMWARE_MAGIC_HEADER "OCPC"
+
 struct ptp_ocp_i2c_info {
 	const char *name;
 	unsigned long fixed_rate;
@@ -1333,25 +1345,81 @@ ptp_ocp_find_flash(struct ptp_ocp *bp)
 	return dev;
 }
 
+static int
+ptp_ocp_devlink_fw_image(struct devlink *devlink, const struct firmware *fw,
+			 const u8 **data, size_t *size)
+{
+	struct ptp_ocp *bp = devlink_priv(devlink);
+	const struct ptp_ocp_firmware_header *hdr;
+	size_t offset, length;
+	u16 crc;
+
+	hdr = (const struct ptp_ocp_firmware_header *)fw->data;
+	if (memcmp(hdr->magic, OCP_FIRMWARE_MAGIC_HEADER, 4)) {
+		devlink_flash_update_status_notify(devlink,
+			"No firmware header found, flashing raw image",
+			NULL, 0, 0);
+		offset = 0;
+		length = fw->size;
+		goto out;
+	}
+
+	if (be16_to_cpu(hdr->pci_vendor_id) != bp->pdev->vendor ||
+	    be16_to_cpu(hdr->pci_device_id) != bp->pdev->device) {
+		devlink_flash_update_status_notify(devlink,
+			"Firmware image compatibility check failed",
+			NULL, 0, 0);
+		return -EINVAL;
+	}
+
+	offset = sizeof(*hdr);
+	length = be32_to_cpu(hdr->image_size);
+	if (length != (fw->size - offset)) {
+		devlink_flash_update_status_notify(devlink,
+			"Firmware image size check failed",
+			NULL, 0, 0);
+		return -EINVAL;
+	}
+
+	crc = crc16(0xffff, &fw->data[offset], length);
+	if (be16_to_cpu(hdr->crc) != crc) {
+		devlink_flash_update_status_notify(devlink,
+			"Firmware image CRC check failed",
+			NULL, 0, 0);
+		return -EINVAL;
+	}
+
+out:
+	*data = &fw->data[offset];
+	*size = length;
+
+	return 0;
+}
+
 static int
 ptp_ocp_devlink_flash(struct devlink *devlink, struct device *dev,
 		      const struct firmware *fw)
 {
 	struct mtd_info *mtd = dev_get_drvdata(dev);
 	struct ptp_ocp *bp = devlink_priv(devlink);
-	size_t off, len, resid, wrote;
+	size_t off, len, size, resid, wrote;
 	struct erase_info erase;
 	size_t base, blksz;
-	int err = 0;
+	const u8 *data;
+	int err;
+
+	err = ptp_ocp_devlink_fw_image(devlink, fw, &data, &size);
+	if (err)
+		goto out;
 
 	off = 0;
 	base = bp->flash_start;
 	blksz = 4096;
-	resid = fw->size;
+	resid = size;
 
 	while (resid) {
 		devlink_flash_update_status_notify(devlink, "Flashing",
-						   NULL, off, fw->size);
+						   NULL, off, size);
 
 		len = min_t(size_t, resid, blksz);
 		erase.addr = base + off;
@@ -1361,7 +1429,7 @@ ptp_ocp_devlink_flash(struct devlink *devlink, struct device *dev,
 		if (err)
 			goto out;
 
-		err = mtd_write(mtd, base + off, len, &wrote, &fw->data[off]);
+		err = mtd_write(mtd, base + off, len, &wrote, data + off);
 		if (err)
 			goto out;
 
-- 
2.31.1

next prev parent reply	other threads:[~2022-05-13 22:59 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-13 22:59 [PATCH net-next v3 00/10] ptp: ocp: various updates Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 01/10] ptp: ocp: 32-bit fixups for pci start address Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 02/10] ptp: ocp: add Celestica timecard PCI ids Jonathan Lemon
2022-05-17  0:43   ` Jakub Kicinski
2022-05-17  1:46     ` Jonathan Lemon
2022-05-17 15:25       ` Jakub Kicinski
2022-05-17 15:45         ` Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 03/10] ptp: ocp: revise firmware display Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 04/10] ptp: ocp: parameterize input/output sma selectors Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 05/10] ptp: ocp: constify selectors Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 06/10] ptp: ocp: vectorize the sma accessor functions Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 07/10] ptp: ocp: add .init function for sma_op vector Jonathan Lemon
2022-05-13 22:59 ` [PATCH net-next v3 08/10] ptp: ocp: fix PPS source selector reporting Jonathan Lemon
2022-05-17  0:43   ` Jakub Kicinski
2022-05-17  1:54     ` Jonathan Lemon
2022-05-17 15:32       ` Jakub Kicinski
2022-05-17 15:39       ` Jonathan Lemon
2022-05-17 16:19         ` Jakub Kicinski
2022-05-13 22:59 ` Jonathan Lemon [this message]
2022-05-13 22:59 ` [PATCH net-next v3 10/10] ptp: ocp: change sysfs attr group handling Jonathan Lemon

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:67733b319bd dfblob:4ff7f16242c )
 OR (
bs:"[PATCH net-next v3 09/10] ptp: ocp: Add firmware header checks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220513225924.1655-10-jonathan.lemon@gmail.com \
    --to=jonathan.lemon@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kernel-team@fb.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=richardcochran@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.