Re: [PATCH v2] generic-loader: check that binary file target location exists

[Damien Hedde <damien.hedde@greensocs.com>]

On 11/1/21 11:53, Peter Maydell wrote:
> On Tue, 26 Oct 2021 at 15:11, Damien Hedde <damien.hedde@greensocs.com> wrote:
>>
>> When loading a binary file, we only check if it is smaller than the
>> ram_size. It does not really check if the file will be loaded at an
>> existing location (if there is nothing at the target address, it will
>> "fail" silently later). It prevents loading a binary blob bigger than
>> ram_size too even if the target location is big enough.
>>
>> Replace this check by looking for the target memory region size and
>> prevent loading a bigger file than the available space.
>>
>> Get rid of "hw/boards.h" include, since we needed it only to access
>> `current_machine`.
>>
>> Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
>> ---
>>
>> Hi,
>>
>> This is an updated version implementing what we discussed in v1.
>>
>> This can be tested easily, eg, using opentitan machine which has a 64K ram
>> located at 0x10000000.
>>
>> the following works (we a blob corresponding to the whole ram)
>> | $ dd bs=1K count=64 if=/dev/zero of=blob.bin
>> | $ qemu-system-riscv32 -display none -M opentitan -device loader,addr=0x10000000,file=blob.bin
>>
>> but this command fails because we load a blob which is too big
>> | $ dd bs=1K count=64 if=/dev/zero of=blob.bin
>> | $ qemu-system-riscv32 -display none -M opentitan -device loader,addr=0x10001000,file=blob.bin
>> | qemu-system-riscv32: -device loader,addr=0x10001000,file=blob.bin: Cannot load specified image blob.bin
>>
>> and this command fails too (we load a blob at an unmapped location)
>> | $ dd bs=1K count=64 if=/dev/zero of=blob.bin
>> | $ qemu-system-riscv32 -display none -M opentitan -device loader,addr=0x0,file=blob.bin
>> | qemu-system-riscv32: -device loader,addr=0x0,file=blob.bin: Address 0x0 does not exists
>>
>> Thanks,
>> Damien
>>
>> v2:
>>   + instead of disabling the ram_size check, look for the target
>>
>> v1: https://lists.nongnu.org/archive/html/qemu-devel/2021-10/msg01077.html
>>
>> See also the original discussion about generic-loader:
>> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg04668.html
>> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg04681.html
>> ---
>>   hw/core/generic-loader.c | 20 +++++++++++++++++---
>>   1 file changed, 17 insertions(+), 3 deletions(-)
>>
>> diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c
>> index d14f932eea..88d3f9fd56 100644
>> --- a/hw/core/generic-loader.c
>> +++ b/hw/core/generic-loader.c
>> @@ -34,7 +34,6 @@
>>   #include "hw/core/cpu.h"
>>   #include "sysemu/dma.h"
>>   #include "sysemu/reset.h"
>> -#include "hw/boards.h"
>>   #include "hw/loader.h"
>>   #include "hw/qdev-properties.h"
>>   #include "qapi/error.h"
>> @@ -153,8 +152,23 @@ static void generic_loader_realize(DeviceState *dev, Error **errp)
>>           }
>>
>>           if (size < 0 || s->force_raw) {
>> -            /* Default to the maximum size being the machine's ram size */
>> -            size = load_image_targphys_as(s->file, s->addr, current_machine->ram_size, as);
>> +            MemoryRegion *root = as ? as->root : get_system_memory();
>> +            MemoryRegionSection mrs;
>> +            uint64_t avail = 0;
>> +
>> +            mrs = memory_region_find(root, s->addr, 1);
>> +
>> +            if (mrs.mr) {
>> +                avail = int128_get64(mrs.mr->size) - mrs.offset_within_region;
>> +                memory_region_unref(mrs.mr);
>> +            } else {
>> +                error_setg(errp, "Address 0x%" PRIx64 " does not exists",
>> +                           s->addr);
>> +                return;
>> +            }
> 
> Won't this break the case of loading a file that spans two
> consecutive-but-different memory regions ?

yes. I did not thought about that.

>                                            I think if we want
> to catch "we tried to load something to an address not backed
> by something" we should do that by making load_image_targetphys_as()
> correctly handle errors from the memory accesses it makes and
> propagate an error-return to the caller.
>

The problem is that load_image_targetphys_as() just uses rom_load_...(). 
And these macros/functions only put some "rom to load" objects in a list 
without doing any real accesses.

The list is checked after against overlapping between "rom to load" objects.
But the real writing is done during reset, and any bad access is 
silently ignored.

In consequence:
+ it is possible for the memory structure to be populated (or even 
changed) between rom_load..() calls and real writing.
+ we ignore missing parts

I do not know if we make an actual use of these "features".

I'm not sure what will be the best course of action here in order to do 
the checks in rom_load_...().

Thanks,
Damien