From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39497)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ard.biesheuvel@linaro.org>) id 1XRfdF-00077J-Ht
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 07:00:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ard.biesheuvel@linaro.org>) id 1XRfd5-00037w-Er
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 07:00:13 -0400
Received: from mail-wg0-f49.google.com ([74.125.82.49]:36813)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ard.biesheuvel@linaro.org>) id 1XRfd5-00036u-9m
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 07:00:03 -0400
Received: by mail-wg0-f49.google.com with SMTP id m15so4377865wgh.32
	for <qemu-devel@nongnu.org>; Wed, 10 Sep 2014 04:00:02 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Wed, 10 Sep 2014 12:59:48 +0200
Message-Id: <1410346790-31743-3-git-send-email-ard.biesheuvel@linaro.org>
In-Reply-To: <1410346790-31743-1-git-send-email-ard.biesheuvel@linaro.org>
References: <1410346790-31743-1-git-send-email-ard.biesheuvel@linaro.org>
Subject: [Qemu-devel] [PATCH v2 2/4] hw/arm/boot: pass an address limit to
	and return size from load_dtb()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: peter.maydell@linaro.org, qemu-devel@nongnu.org
Cc: christoffer.dall@linaro.org, Ard Biesheuvel <ard.biesheuvel@linaro.org>

Add an address limit input parameter to load_dtb() so that we can
tell it how much memory the dtb is allowed to consume. If the dtb
doesn't fit, return 0, otherwise return the actual size of the
loaded dtb, or -1 on error.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 hw/arm/boot.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 50eca931e1a4..014fab347b09 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -312,7 +312,8 @@ static void set_kernel_args_old(const struct arm_boot_info *info)
     }
 }
 
-static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
+static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo,
+                    hwaddr addr_limit)
 {
     void *fdt = NULL;
     int size, rc;
@@ -341,6 +342,15 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
         }
     }
 
+    if (addr_limit > addr && size > (addr_limit - addr)) {
+        /* We have been given a non-zero address limit and we have exceeded
+         * it. Whether this is constitues a failure is up to the caller to
+         * decide, so just return 0 as size, i.e., no error.
+         */
+        g_free(fdt);
+        return 0;
+    }
+
     acells = qemu_fdt_getprop_cell(fdt, "/", "#address-cells");
     scells = qemu_fdt_getprop_cell(fdt, "/", "#size-cells");
     if (acells == 0 || scells == 0) {
@@ -403,7 +413,7 @@ static int load_dtb(hwaddr addr, const struct arm_boot_info *binfo)
 
     g_free(fdt);
 
-    return 0;
+    return size;
 
 fail:
     g_free(fdt);
@@ -572,7 +582,7 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
              */
             hwaddr dtb_start = QEMU_ALIGN_UP(info->initrd_start + initrd_size,
                                              4096);
-            if (load_dtb(dtb_start, info)) {
+            if (load_dtb(dtb_start, info, 0) < 0) {
                 exit(1);
             }
             fixupcontext[FIXUP_ARGPTR] = dtb_start;
-- 
1.8.3.2